Operational resilience and the pandemic has exposed firms’ vulnerabilities in their financial crime systems and controls

Background

In our previous article we mentioned how the COVID-19 pandemic has exposed certain operational vulnerabilities in firms’ financial crime systems and controls. In this article, we take a closer look at this issue, describing specific examples of weaknesses we have seen and what could be done to help firms become operationally resilient.

Executive summary

Without question the pandemic has stretched firms’ operational capabilities. As a result, firms have been forced to reprioritise some of their activities, transferring staff to support more pressing areas of their business. This has meant that maintaining robust and up to date financial crime systems and controls may have moved down their agendas leaving firms exposed.

Customer due diligence processes have had to adjust

The restrictions on face-to-face interactions during lockdown have limited firms’ operational ability to perform in person customer due diligence (CDD), which may have led to operational difficulties in appropriately verifying customer identity or to do so in a timely manner. In many cases the application of online CDD tools have been piecemeal, not providing a complete substitute for in person CDD. With the significant impact that the pandemic has had on staff and customer demands there has been a risk that firms may not have had time to check if their adjustments to the CDD process are in line with their risk profile. In practice, firms have had to be more flexible in their assessment including re-adjusting customer onboarding processes or risk assessments to enable customer acceptance with view to quality-assuring the information at a later stage. However, this has not compromised a firm’s decision to reject customers where there are difficulties in obtaining the required essential CDD information. Some firms have also based their assessment for new products and services on historic CDD customer information, particularly where there is an urgency to allow access to services and products to vulnerable customers or customers seeking business interruption loans.

Many firms have managed to update their online platforms and provide support to those customers who are not as familiar with their online platforms. However, departure from traditional forms of verification does not necessarily mean that such firms should only rely on online software tools or third party digital identity providers. Ultimately, firms need to be comfortable that they understand who the customer is, that the evidence obtained reflects that of the customer’s risk profile and the decision-making process is adequately documented irrespective of the type of software used.

Re-calibrating transaction monitoring triggers and parameters is a must

Focus on immediate operational threats caused by COVID-19 have led firms to re-calibrate transaction monitoring triggers and parameters, be it for the purpose of monitoring anti-money laundering (AML) or market abuse transactional issues. Firms have widened the parameters within their transaction monitoring systems to capture potential COVID-19-driven activity, which has, in turn, meant it has proved more challenging in reviewing the increased amount of potential red flags, especially in light of fluctuating staff resources. For similar reasons, ongoing monitoring backlogs have been created as a result of firms pausing their periodic AML reviews of customer files, particularly those files categorised as lower risk or which are considered a lower priority. As things slowly return to a relative normal, firms may be faced with insufficient resource and time to clear these backlogs within a reasonable timeframe, and adequately deal with red flags or alerts, which potentially increases the risk of inadvertently failing to detect and report financial crime activity.

Changes to transaction monitoring parameters may be acceptable where this is done in response to a change in the customer’s volume of transactions or to detect any new or heightened AML or market abuse risks. Parameters, however, should not be changed solely to reduce the number of alerts or red flags to help manage the resulting impact from the pandemic.

In any event, the market uncertainty generated as a result of COVID-19 has created more opportunities for criminals to exploit gaps and weaknesses in firms’ systems and controls. Firms should be mindful that they should not lower their CDD standards or narrow current transaction monitoring thresholds simply to cope with the challenging conditions they find themselves in. Instead, they should continue to take a risk-based approach to assess which areas to prioritise in the first instance and how to manage emerging risks appropriately.

Record-keeping processes need to evolve in order to maintain adequate standards

Issues around staff working from home and connectivity to data centres and third parties have put a strain on firms’ financial crime systems and controls. This has meant that there may have been instances where the usual protocols have been skipped and decisions made without adequate consideration, recording of rationale or obtaining relevant approvals. There have been difficulties in keeping up to speed with documenting and reflecting in existing policies and procedures any changes made to surveillance parameters, ongoing monitoring, periodic reviews or risk assessments, on the basis that these were temporary or have subsequently changed. Additionally, social restrictions have forced staff to carry out their duties, including AML and CDD responsibilities, remotely. This has limited firms’ ability to provide adequate supervision and oversight, and thus weakened the overall control framework such that staff have, at times, been unable to obtain the required sign-offs, and have missed required steps including evidencing the records adequately.

Any departure from established systems and controls, procedures and protocols need to be appropriately documented and relevant senior management approvals obtained. Having a robust audit trail is particularly important where lockdown restrictions have often prevented firms from obtaining the required evidence from customers or the required sign-offs, or where issues with outsourced service providers have arisen mainly as a result of COVID-19. Audit trails will allow firms to promptly identify the missing information yet to be obtained and any gaps in procedural steps yet to be addressed, as social interactions resume.

In light of the above issues, IT is often seen as the solution in achieving operational resilience, but re-assessing the performance of the firm’s key IT software, seeking next generation cloud based solutions and enhancing IT security is only the starting point in helping firms achieve long term operational resilience.

Please see our website to explore how we can help firms navigate effectively through the complex landscape of financial crime issues so that they stay ahead of evolving risks and are better equipped in maintaining operational resilience.