As financial services companies grow, it is common for their audit findings to include recommendations or requirements to implement some form of Automated, or “Surveillance”, Transaction Monitoring System (“TMS”). Over time, other regulated financial institutions such as money services businesses (“MSBs”) and Casinos have had this requirement imposed as well, either directly as an audit finding by their primary regulator, or more commonly as a requirement to maintain their bank relationship. Depending on resource considerations – whether you build or buy – a TMS can look very different; but in all implementations, there are a few critical points that need to be addressed.
Taken as a ‘black box’, a TMS will take what you put in and (hopefully) give you something more useful back out. Unfortunately, the concept of ‘garbage in, garbage out’ is a common pitfall of new TMS implementations. When assessing your alternatives, make sure that there is a reliable internal or external set of human resources to ensure that the data flowing in is both valid and being interpreted by the TMS properly. It is also necessary to establish a periodic review to ensure the validity of data input versus output, which brings us to…
Your brand new TMS cannot serve your institution in a vacuum; providing the user manual and some attractive looking reports to regulators will not be well received. It will be necessary to understand the system in adequate depth to accurately describe how you will utilize it, train your employees to use it, then measure its effectiveness (including ongoing data validation!). It will evolve over time as your risk profile changes.
The evolution over time of your TMS generally takes the form of Rules Management – taking the criteria your system uses and improving them over time, iteratively. This does not need to be an onerous process, and the iterations should make logical sense from one step to the next. The initial rules should be quantitatively based – you can take your data and decide where thresholds for rule logic should lie with averages and standard deviations. Going forward, the rules should be quantitatively and qualitatively based on results – the number of alert ‘cases’, the number of investigations, the number of Suspicious Activity Reports (“SARs”) you file, and most importantly – the number of false positives, where you spent the limited time of your compliance personnel reviewing activity that was not suspicious. Your compliance program needs to be risk-based, and rules that do not find suspicious activity must be weeded out as they are quite demonstrably inadequately mitigating your risks.
If you are fortunate to have a large budget and just purchased some well-respected off-the-shelf solution with bells and whistles such as “machine learning” and “fuzzy logic”, remember that you need to comprehend and manage these features, too. Where the TMS does the thinking for you, you need to be able to validate that it is thinking properly. Everything must be documented and justified in a clear and concise manner, lest your next auditor decide your TMS is running amok.
A ‘case’ is a set of transactions that represent the ‘alert’ your TMS has just created. Whatever the criteria, your TMS creates cases based on transactions and says that they perhaps represent a pre-determined type of suspicious activity. When you clear these ‘cases’, you are either documenting that the activity was potentially suspicious (in which case it moves on to an investigation, which may or may not be performed immediately), or a false-positive. Either way, if it’s not written down, it didn’t happen. Most off-the-shelf systems will automatically handle this for you, which is their biggest value proposition. If you are instead getting a big list of transactions in Excel, make sure you create a methodology that ensures each row and every case has a clearly documented disposition.
Also, as with SARs, more is not always better. Your Rules (and Not-Rules) management should ensure that what human eyes are reviewing is appropriate and necessary – with a solid program, a solid rationale and solid resolve… you can do with 200 case reviews what would take others 2,000 reviews. Even better, you should be able to demonstrate to your regulator that you have done so.
Of course, as with everything in your compliance program, the Board of Directors needs to be informed and your communication with the Board should be documented thoroughly. Getting a lot of face-time with the Board is generally wishful thinking, but statistics are great for putting on slides while verbally discussing more qualitatively the emerging changes in your compliance program.
Transaction Monitoring Systems look great on paper. The concept of process automation is easy to sell; it makes your life easier and has plenty of interesting features. Make sure you are getting what you bargained for – if the vendor has you sign an agreement, promises you implementation in two months and has done nothing to assess your IT resources or requirements, ‘they are selling you a bridge.’ Once they have you signed, there is often a drastic escalation of your commitment.
Noah Payton, CAMS, is a financial services program manager with several years of experience in state licensing and creation of anti-money laundering compliance programs for money service businesses.