Greater clarity and focus on model validation is one of the keys to future AML efficiency and return on the massive investments that are made to protect companies and their clients from AML and financial crime and assure regulatory compliance.
Model validation in AML/CTF is an established part of international industry practice, and specifically so in U.S. regulations since 2012. In the Swedish context, what should constitute a model has been subject to questioning, with transaction monitoring and customer risk classification as good examples of models while requirements on what should be conceptually classified as a model remain somewhat unspecified in regulatory guidelines.
Current regulations in Swedish came into play in 2017, and AML/CTF capabilities in the Nordic financial industry are moving towards higher levels of maturity. As regulators and the industry move to higher levels of maturity, we are seeing a shift from basic systems support to a greater focus on efficiency and assuring processes linked from risk assessment to customer risk categories and transaction monitoring.
AML/CTF Model validation has as its purpose to evaluate to what extent specific models are appropriately designed adequately to fit purpose, method approach and effective risk coverage. It should also ensure delivery in terms of customer risk classification, alarms on transactions or behavior patterns according as intended.
Clearly, model validation and efficiency reviews of technical aspects of transaction monitoring as well as customer risk classification are now also focus issues for financial supervisory authorities in the Nordic region.
This is confirmed by a number of high-profile sanction cases where FSA point out shortcomings including:
• Lack of or insufficient evaluation and review/tuning of systems and models
• Inefficient scenarios or risk classification causing inefficient management and lack of a risk-based approach in resources deployment.
• Lack of differentiated transaction monitoring in order to reflect different customer risk categories
• Transaction monitoring often lacks coverage of risks and products such as financial instruments
• The logic link between the institution’s risk assessment and risk factors that scenarios should follow or customers’ risk classification is not in place
• Management follow-up of measures and AML work was too weak
A common challenge in the follow-up of AML operations in both 1st and 2nd line and model validation, is to ensure that processes are integrated with or can relate to Suspicious Activity Reporting / Suspicious Transaction Reporting and feedback.
Without this in place, weaknesses will occur throughout the chain of processes, and can result in quality deficiencies in the most fundamental parts of AML/CTF obligations. It also remains a challenge across the industry to ensure relevant KPI:s based on the evaluation of mitigating controls efficiency and continuous feedback from SARs/STRs. Moreover risk assessment needs to be established as a continuous process, and not a single “on-off” exercise.
A further recommendation is to continuously strive for coordination between financial crime prevention, compliance and risk control functions respectively. Risk control typically covers capital adequacy model validation, credit and market risks, data quality and model stability. Several issues are often common, and the units can also support each other with different competencies.