Steps to Improve AML ComplianceHow a Small Community Bank Improved Its Security Posture
Large and small institutions face heightened scrutiny, and relying too heavily on rules-based software can hinder an institution's attempts at identify high-risk customers in a real-time fashion.
"We were getting reports showing that we had more than 200 high-risk customers, and for a bank our size in our location that's just not realistic," says Nancy O'Donnell, vice president of compliance and risk for Thomaston Savings Bank, a Connecticut-based community bank with $676 million in assets.
By using anti-money laundering software that isn't rules-based, banks can eliminate spreadsheets and manual processes to review suspicious activity. But finding the right software solution can sometimes take time. In the case of Thomaston, it took over a year to move from a manual to a more automated process.
The software they eventually chose tracks anti-money laundering and fraud, which helped to consolidate two separate departments in the bank. With automated software, all the information O'Donnell needs is in one place. "You don't have to be logging in and out and going and checking in different places," she says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
During this interview, O'Donnell discusses:
- The need for strong AML policies and procedures at banking institutions of all asset sizes and locations;
- The ROI of automating AML;
- Why any institution, regardless of size, can lean on automated processes to better integrate their AML and fraud-detection departments and practices.
O'Donnell is the vice president of compliance and risk for Thomaston Savings Bank. She also serves as the bank's BSA compliance officer.
TRACY KITTEN: Why don't we start off by having you tell our audience a little bit about Thomaston Savings Bank?
NANCY O'DONNELL: Thomaston Savings Bank is a fairly small mutual savings bank. We were chartered in 1874 and we currently have nine branches, soon to open our tenth in the first quarter of next year, and we have just under 150 employees.
BSA and AML ComplianceKITTEN: Relative to all of the regulatory compliance mandates that Thomaston is focused on, why did the Bank Secrecy Act and why did compliance with AML raise concerns for the bank?
O'DONNELL: It seems that the regulators often have kind of their flavor of the month when they come in to do a compliance exam. You never know exactly what they are going to look at. Sometimes it might be another lending compliance regulation, but it's always BSA and anti-money laundering. Every time the regulators come in that's still one of their priorities, and as long as it's a regulatory priority it's definitely going to be a priority with the bank.
KITTEN: We've noticed that the industry has recently seen some pretty steep fines coming down on banks for non-compliance with certain BSA and U.S. Patriot Act mandates versus vicious activity reporting. Of course a lot of these fines have come down on the larger institutions. Where did Thomaston see gaps in its own SARs and KYC controls? I would like to ask, as a smaller institution do you see the perspective of regulators changing a bit?
O'DONNELL: I don't know that their perspective has changed. They have always been pretty thorough in coming out and looking at our controls and how we process things. I think our biggest gap is the reliance that we have on our branches to detect and report suspicious activity. They do pretty well with the "know your customer" controls. Usually when you are in a branch you see the same folks over and over, so they really do know their customers. The hardest part is identifying suspicious activity. Sometimes I get the feeling that the branches don't think anything is really suspicious, and part of that is because they don't get the chance to see the whole picture. They're really only seeing what's happening at their particular branch.
Problems with Rules-Based SoftwareKITTEN: You've noted that the bank was frustrated with limitations when it came to the existing kind of static or rules-based compliance software that you had been using. Can you tell us how the limitations that you were talking about basically were allowing certain suspicious activity or different things to slip through the cracks?
O'DONNELL: The first problem that we were having with the rules-based software was we were getting too many false-positive cash reports. Sometimes when a teller is processing say a split-type of transaction ... to the software [it might] look like a cash report when it truly isn't. It was taking us a lot of time and energy to sort through all these false reports and try to determine what really happened. The other problem was trying to identify who the higher-risk customers are. We were getting reports showing that we had more than 200 high-risk customers, and for a bank our size and in our location that's just not realistic. We are probably looking at 70 higher-risk customers as opposed to more than 200.
KITTEN: And you had also talked about the paper trail of spreadsheets. How can financial institutions do better jobs of automating AML solutions so that this manual review of so many spreadsheets is no longer part of the equation?
O'DONNELL: By using anti-money laundering software that is not rules-based, it can almost think for you. That really helps to eliminate the spreadsheets. We currently have one spreadsheet that we're using right now and the only reason that we still have that spreadsheet is because for so long we were not collecting the right information from our customers and entering it into our core systems so that we could accurately assess risk. Now we're kind of keeping the spreadsheet and working on getting everything into our core so that an intelligent system can work more effectively for us.
Moving to an Automated ProcessKITTEN: Tell us a bit about how the bank initiated this change in its AML practices and the solutions that it now uses. How long did it take to move from this manual process to a more automated process?
O'DONNELL: It took us I would say just over a year. What started the process for us was we were using software in conjunction with all of our spreadsheets and our core provider notified us that they would no longer be supporting that AML product. They were planning to migrate us over to their new solution. At that time, I really viewed that as an opportunity to move forward and get away from the spreadsheets and all the manual processing.
Picking the Right VendorKITTEN: What about the review of different vendors and what ultimately pushed you from a primarily manual process to a more automated one?
O'DONNELL: The first thing I did was I looked at the solution that our core provider was offering to us. I just thought that would be the easiest to implement. After reviewing their demo, I was really less than excited about their product and I didn't feel that it was going to help us migrate away from the manual process, so I started talking. I belong to a state-wide compliance association, and I reached out to some of the different members to see what they were using and surprisingly enough a lot of them are still using manual spreadsheets. But the last time our examiners were in they commented how difficult it must be to really be on top of things by using that manual spreadsheet. It was even a little difficult for them to understand what I was doing by laying out all these spreadsheets on the table for them, so that kind of prompted me to see that I needed to have a better solution, something that was going to be easier to manage. Around the same time we got some marketing information from Verafin so we arranged a demo with them and we were really happy with what we saw, and it did take us just over a year to get it all implemented where we felt comfortable with it.
KITTEN: I want to ask you a little bit about what made the solution that you decided to go with different, and perhaps part of the answer is going to come from the response to this question. We've talked quite a bit recently in the industry about the advantages that new AML solutions offer to banks and credit unions when it comes to integrating AML and fraud detection. Thomaston has actually integrated its AML and fraud departments to some degree. Can you give us some background about how the new solution that you have invested in is allowing you to do that?
O'DONNELL: The new solution tracks both anti-money laundering and fraud. We used to have it in two separate departments, but we overlap in so many ways. A lot of times when people are being involved in some type of money laundering they may be perpetrating other types of fraud. It was so important for the two departments to be sharing information and constantly be in communication so we actually ended up combining the two departments since we now have this one software that is tracking everything. It puts the whole picture right in front of you instead of trying to pick pieces from different people.
Differences Between Large and Small BanksKITTEN: Right, and I was going to ask how the technology allowed you to marry these two departments. I'm wondering if you see your situation as being different from perhaps a larger institution. Would it be difficult for a larger institution to bring these two departments together in a similar way?
O'DONNELL: I don't think it really would. If everything is there in one place, a bigger institution would probably have multiple people reviewing the software, but you can still cross-reference so easily because everything is just right there in one software. You don't have to be logging in and out and going and checking in different places. We have the capability to detect potential money laundering, debit card fraud, check hiding and new account fraud all in one place. I think whether it's a big bank or a small bank, having it all right there just makes it easier to manage.
KITTEN: Right, that makes sense. We talk so much about the investment that goes behind some of these solutions that it's very costly and some institutions just don't think they are going to get their return on investment. Do you expect though to see or experience some type of cost reduction now that AML and fraud detection are better integrated?
O'DONNELL: Actually, I was looking to add staff to my department to better manage all of these pieces, the fraud and the AML, but now that I have everything combined into one [piece of] software we can devote our resources to other avenues such as managing new regulations.
KITTEN: Before we close, what final thoughts would you like to leave our audience with generally?
O'DONNELL: I feel like I'm operating so much more efficiently now with this combined solution. I'm more comfortable that we're not missing any potential suspicious or fraudulent activity and it has just made my job a lot easier.