Category Archives: Workflow

01.21.13
by

It’s a matter of trust – or is it?

Yes, this is a follow-on to my “Who does what” post – because there was an element I wanted to treat separately.

A lot of the matches that an Operations or Compliance staff review are pretty straightforward. There are often name elements that just don’t match, so it’s easy to say that the listed entity doesn’t match the data.

Can you, at a minimum, trust lower-level staff to do that sort of triage? Getting rid of the bulk of potential matches by using someone other than the Chief Compliance Officer or Legal Counsel may be a good, simple, easily defensible trade-off of operational cost vs, regulatory risk.

Does that staff have to be Compliance/Legal staff, or could it be parceled out to the appropriate business unit? Money Transfer Operations staff might be more knowledgable about their payments, after all, and Human Resources is probably, from a legal standpoint, the better place to review employee screening results.

Beyond the patently obvious false positives, can you trust others with some of the day to day review work? Might Documentary Credit know about transaction-specific licenses that are relevant to their clients’ businesses, sparing Compliance/Legal from that spadework?

And let’s say you don’t inherently trust other departments or lower-level Compliance staff with certain final decisions. Could they do the research for you? That way, when it hit the Compliance Officer’s work basket, the bulk of the work would have been done, and only the decision-making would be left. And, in fact, had some data not been gathered, the item could be referred back so the other staff members could go out and retrieve it.

Mr. Watchlist is a fan of getting things done in the most cost-effective way, as long as it’s actually effective. If other, closer to the business and/or more inexpensive, staff can perform the same function as a highly paid Compliance or Legal officer, it would seem to make good economic sense to utilize them in that way.

An added bonus: involving less-knowledgable staff in the day to day review work builds their knowledge base and your firm’s compliance “bench” – some of those folks might want to work in Compliance or Legal one day, and involving them on an ongoing basis will enable them to have that career option, and make your firm’s Compliance capabilities more broadly based.

An added “D’oh” – this is not just a maxim for watchlist screening, or even just for Compliance activities. Spreading the wealth, especially across functional and/or business lines, adds to organizational strength – as Martha Stewart would say, “it’s a good thing.”

01.15.13
by

Who does what

Determining which staff members can perform which functions, and can access which pieces of data, and can do what with them, can be an art or a science – and that largely depends on the capabilities of the solutions you choose.

Of course, this is a very generic statement – this will be true for any multiuser application you choose to work with, not just watchlist screening. In that regard, when you delve into transaction monitoring, KYC or GRC solutions, the same concepts will still apply.

First, who can do what… how are privileges assignable in the application? Are there set roles you must use, or can you design your own? Are access to applications assignable on a one-by-one basis, or in blocks (e.g. all configuration functions, all batch file screening functions)?

Second, what data can be accessed… can the access to data be limited to specific business lines, functional uses or other subsets of your data, or does access to the function give you access to everything? For example, can someone be given access just to the HR employee screening results? Can someone be given access to work baskets dedicated to first-line triage, but not the folders where items are processed by compliance officers for final review?

Can some data be made publicly available, but others be on a need-to-know basis? And how are these assigned – by one’s role or other user-level setting (e.g. all supervisors from Accounting can see the higher-level Accounting work queues), by explicit assignment, or otherwise?

On a related note, if access to a function cannot be segmented, can you make changes that are applicable only to parts of the business? For example, can you make a false positive reduction rule applicable only to one department’s work? Or can you route matches by business line in addition to other factors? … or, do the limitations in the application prevent that level of detail?

Here’s an interesting example to think about: if you needed separate security administrators to maintain user records for different business units, but also needed high level compliance or audit personnel to be able to “see” all the work for all units, could you do it without having to resort to using internal procedures? Would restricting the access to the security personnel mean having to create separate processing silos for each business unit – which might force compliance or audit to have to have separate logins for each business unit?

Lastly, what can you do in a given function… can “read-only” access be granted? Can access to certain parts of function be limited by user-level settings? So, if User A access a work item in Folder B, can they potentially do things that User C could not do to the same item?

And you thought it was just a matter of giving out user ids and passwords… having these options creates an application environment that not only passes muster with your security staff, but gives you greater flexibility in how you run your operation. You can leverage the smarts in the system to enforce boundaries instead of having to manage them procedurally.

12.31.12
by

Set phasers (not) to stun!

A lot of this seems daunting, doesn’t it? So many possible lists, system settings to consider… and so much work to process Day 1. Seems a little nuts to me…

Well, even if you’re facing down the loaded end of a C&D (cease and desist), one doesn’t have to implement a whole raft of changes in the blink of an eye. You can phase in your changes.

What auditors and regulators want to see is, of course, an acceptable program – eventually. What matters more is the plan to get there. These folks aren’t ogres (at least, not the ones I’ve met).

Imagine the following paths to “full” compliance:

  1. In January, you screen all accounts with an average daily balance of $1MM US against your PEP list. In March, you lower that threshold to $750,000. In May, you lower the threshold to $500,000. In August, it goes down to $250,000 and finally, in January of the next year, you drop it to $100,000…
  2. In the beginning of January, you start screening your accounts against sanctions lists using exact matching. In mid-January, you start using fuzzy screening at 93%. In mid-February, the fuzzy threshold drops to 91% – in mid-March, to 90%, in mid-April, to 88%, in mid-May, to 87%…
  3. In January, you begin screening against OFAC, the HMT (Her Majesty’s Treasury) list, the UN list and the EU list, because they’re your highest-volume currencies. In February, you add the second tier – the Canadian lists (OSFI, plus the DFAIT economic sanctions countries and cities, which include some city names that are very common in the US), the Japanese Ministry of Finance, the Monetary Authority of Singapore list and the Hong Kong Monetary Authority list. In March…
  4. In January, you start screening account information against national and international-level foreign PEPs that are still in office. In February, you include officials who have left office within the last 3 years. In March, you include national and international-level domestic PEPs who are still in office. In April, you include domestic officials who have left office within the last 3 years. In April, you include provincial/state-level domestic PEPs. In May, you include local-level domestic PEPs.
  5. In January, you start out with what you consider the bare minimum list of sanctions lists, including OFAC. Over the next few months, you add transaction-specific lists, such as BIS (Bureau of Industry and Security), BISN (Bureau of International Security and Nonproliferation), DTC (Directorate of Defense Trade Controls) and the World Bank Debarred List. In the second half of the year, you add a screen to your client onboarding process against law enforcement lists, including US Marshal Service, FBI, and Interpol.

Making some of these changes may increase the overall number of matches over time (e.g. changing the fuzzy logic level), while others may just increase the number of matching entity listings (which increases the time to clear each item).

Why phase in changes, instead of a “big bang” that gets your program up to snuff immediately? First, there’s the cost – a large increase in matches will either mean overtime, a large increase in staff or temporary help and/or less time devoted to making a decision on each match. Second, there’s the likelihood that a massive set of changes will overwhelm your staff, making them less, rather than more, productive (which adds to costs and errors). Third, making significant changes requires that compliance processes still keep their focus on the proper set of priorities – like, economic sanctions items are most important, followed by PEP screening, followed by other due diligence efforts (that’s an example – your priorities might be different). Priorities can easily get lost amidst the rush to get the decks cleared on a daily basis.

So, plan getting from here (where you are today) to there (where you want to end up) in an orderly fashion, like they tell you to do in movie theaters for if there’s an emergency, like a fire – instead of in the mad rush that usually happens. There will be fewer bruises all around if you do.

12.26.12
by

Bad puppy!

Well, I mentioned in my previous post that I would deal with the problems I see with the “refer back to lower-level staff” workflow step separately. Well, this here is where I’m going to deal with it.

The problem, to my mind, is the “puppy peeing on the carpet” problem. So, if you’ve ever had a puppy, you know they have accidents. And there are various ways of dealing with that problem, and none of them are particularly pleasant. One of the ways people handle doggie pee is to whack the dog on the nose with a newspaper – bad dog!

The dog may make the error once again, maybe even twice. But eventually they learn – and, except for when it’s sick, or left at home way too long between walks, the dog never soils again. There is no more need for a rolled-up newspaper as a training device.

The same happens with referrals back to the lower-level staff. They may not give you enough information once or twice, but that referral will clearly be seen as punitive (and something that can probably be dragged out of the system logs for their annual review). After it happens a number of times, they will go out of their way to document, if not over-document, everything about each item that they send up the chain of command. So, not only is that part of the workflow not used again (unless you have a new litter of puppies), staff is probably wasting time getting too much information just so it doesn’t get another referral from management.

Mr. Watchlist’s mantra is to keep it simple unless you really have to do otherwise. Referrals down the chain of command are an unnecessary frill that will probably produce unexpected and unwelcome consequences.

12.26.12
by

Imagine a rectangle…

It’s a useful way to look at, and design, your business processes and workflows for reviewing potential matches to watchlists, really.

From left to right, you have a number of workflows, segregated out by the ways it makes sense for you to run your business. There are a lot of ways you might do this, all depending on how you organize yourself, volumes and the complexity of what you do:

  1. Geographic breakdowns, especially if you operate in multiple regulatory jurisdictions.
  2. Organizational breakdowns. These could be segregation by divisional lines (e.g. like a Bank Holding Company with multiple financial service firms), or by functional lines (Human Resources vs. Static Data Management)
  3. Breakdown by type of data screened. You might want to separate insurance claims from policy information, for example
  4. Breakdown by types of screening performed, or watchlists used. If there are daily screens of new accounts as well as periodic screens (e.g. weekly or monthly), it might be useful to put the results in separate workflows. Similarly, matches against sanctions lists might be segregated from non-sanctions lists (especially the PEP list), either because of the differences in match volumes, or because the underlying handling of true matches can be very different.

One of the niceties about not just lumping all your screening into one big workflow is that allows you to have variability in how things are processed. Certain areas may require additional levels of review, or may require different processing due to different staff capabilities and experience, or organizational reporting lines.

The vertical direction of the workflow rectangle are the process steps you wish to capture in workflow, from the initial stop for review to final resolution. Common (although not necessarily advisable) intermediary steps include:

  1. Setting aside items for more research. One consideration is that, if multiple levels of staff can do this, your system needs to have a mechanism for keeping them separate.
  2. Escalating an item to a higher level of staff
  3. Referring an item back to a lower level of staff for more research to be conducted

Mr. Watchlist’s personal preference is to define a simple workflow structure and, if necessary, make it more complex over time. A sign of a poorly-designed workflow is when parts of the workflow are infrequently used with any sort of volume. For example, if you account screening can be routed to 10 work folders or queues (in a structure not defined by organizational boundaries) and each one ends up with a small handful of items on any given day, it would make sense to redesign the workflow to have fewer buckets to put your matches into. Similarly, if you have 6 levels of escalation, and the top 3 are used once or twice a year, perhaps those should be handled by email, not within a system where the staff member will require a password reset each time they access the system.

I will deal with the third item in the list above in a separate post, because … well, just because.

12.20.12
by

The delicate balance of watchlist screening

Balance? What’s balance?

Balance between the costs of compliance and the potential costs of non-compliance, of course.

But, but, but… doesn’t OFAC sputter about its “strict liability” policy?

Sure, but they also have their Enforcement Guidelines, which informs how they determine how hard to slap a firm’s wrists, if at all.

So, how do we determine where this balance is?

First, the bad news: the balance is where a particular firm is comfortable placing it. It’s not a strictly actuarial equation, especially when it’s fraught with subjective things like the inherent risk in the customer base, the geographies involved, the products offered, the amounts involved, the timing of the last enforcement action against the firm, the current regulatory environment… can I stop now?

As you might imagine, this is one of Mr. Watchlist’s favorite subjects.

The good news: there are ways to enumerate and estimate (if not actually quantify) the costs of non-compliance (or under-compliance, if you prefer – there’s a big difference between an inadequate program due to lack of sophistication or ill-informed decisions and an inadequate program due to willful steps to leave holes in it). Then, once those calculations are complete, firms can then decide how much residual risk is acceptable and how much ongoing operational expense is justified to produce that level of risk (one-time expenses like upgrades to software and hardware should be excluded from such a calculus).

Let’s start with the costs of compliance. A firm should consider the number of items that are being reviewed (really, the number of operator reviews – if 2 matches on a single record causes two separate reviews, it should be counted that way), the number of steps required to clear an item, the average percentage of items that goes to each staff level (e.g. initial review and any escalations or referrals), the time spent at each level for each item, the fully-weighted staff cost of each review at each level. Consider the time spent in research and documentation of each step.

And, of course, consider any differences in the workflow. Are there different staff who review PEP matches, as opposed to sanctions matches? Do different screenings have different business processes than others (e.g. client screening vs. employee screening)?

Now, let’s consider the risk (and cost) of non-compliance. For simplicity, let’s treat all sanctions regulators as if they all managed violations like OFAC does. So, the operative question is not “what’s the likelihood we’d get caught?”, but “what’s the likelihood that our program, as designed, would result in violations that would draw a significant civil penalty?”. To answer that question, you have to consider the OFAC Enforcement Guidelines as reference, where timing of sanctions, total amounts involved, quality of compliance program, and enforcement history, among other things, determine what enforcement actions, if any, result from a given set of violations.

In the light of the flood of recent high-profile enforcement actions, however, perhaps it is more important to know what everyone other than Compliance operations is up to. HSBC, ING, Standard Chartered, etc, ended up with huge fines largely because operations and sales business units went out of their way to bypass any potential Compliance controls.

Beyond sanctions, there are a couple of other questions one ought to consider.

The PEP list, and other lists used as part of an AML/CIP/CDD program, do not identify people who must not be dealt with. They help point out those who are more risky to deal with. One does not draw fines from FinCEN for not identifying someone as a PEP as long as one has a program for identifying them. So, in that case, one must calculate what would constitute a viable PEP screening program that would pass regulatory muster, while not forcing a company to search through excessive hay in order to find those pesky needles that may or may not prick one’s fingers one day.

Lastly, for all other non-sanctions lists, there’s a really simple question: why am I doing this in the first place, given that I am not required to – and how does that inform how I manage this process, if I decide to continue doing it? Is there, in fact, a cost of non-compliance in these instances?

At the end of the day, a firm needs to have a sense of risk tolerance or avoidance that will inform concrete decisions about the inner workings of the watchlist screening program. Does a particular feature need to be watertight, or is the standard of care is that of a “reasonable man”?

Mr. Watchlist’s opinion? For the huge majority of firms – other than those subject to recent enforcement actions (or the subject of a current investigation) – programs could be reconfigured to recognize significant cost savings with minimal, if any, increase in residual risk.

YMMV (your mileage may vary), of course.