This article originally appeared in Bloomberg Law. Reproduced with permission. Published 19 March 2020. Copyright 2020 The Bureau of National Affairs, Inc. 800-372-1033. For further use, please visit http://www.bna.com/copyright-permission-request/.
Like any industry, financial services anticipates disruption from the new coronavirus.
Government agencies and economists expect most everything—from employment to GDP to inflation—will be affected. As organizations large and small tighten purse strings to brace for impact, how can financial services institutions ensure services are not disrupted—or, even more concerning, compromised?
In times of uncertainty, managing risk can be difficult. However, for financial institutions, opportunities remain to mitigate from within. The time is now for anti-financial crime (AFC) leaders to consider all options and establish a thorough plan. It is not too late to safeguard the business from the damages that can ripple from unforeseen external circumstances—and once the dust has settled, leaders must revisit this plan and implement lessons learned to prepare for the next issue that will arise.
Have a Plan—Use Technology to Meet Regulatory Requirements
It should not be unexpected that during this period of uncertainty, regulators may have questions about risk mitigation—particularly for institutions under the guidance of an enforcement order. AFC risk impact and mitigation must be addressed in firms’ business continuity and crisis management discussions. There must be ongoing transparency with regulators, key internal stakeholders, and monitors.
Over the last 18 to 24 months, organizations have been buzzing about technological advancements that help analyze and flag large-scale transactional data, alleviating pressure on anti-money laundering (AML) and anti-bribery and corruption (ABC) teams. Today, that technology will show its strength.
Financial institutions should lean on proven technologies—not just those enabling teams to work remotely, but those that help teams perform tasks seamlessly and more effectively. For institutions under the watchful eye of regulators for remedial efforts, there are likely milestone commitments with monitors that need to be met. It is critical organizations still try to meet these, even if it means that internal projects—like leadership or staff reorganizations—are put on hold.
Explore Regional Support Systems for Teams
Often in banks, the model is that regional teams only handle escalations and approval requests that relate to their own region. Considering a possible strain on team capacity, this will need to change as teams adapt to meet organizational needs. Regions with greater capacity can support regions that are resource scarce, such as those that are experiencing government-mandated quarantines or limited staff due to an outbreak.
This scenario exemplifies why consistent global standards and processes is critical. In theory, all regions should assess ABC risk the same way, with limited regional variations in approach. It may be that teams can be repurposed to help manage critical day-to-day risks.
For instance, teams within a testing and quality assurance function often have a solid understanding of AFC risk and could support that function. This may require a change in mindset—whereas teams are typically used to working in silos, external factors may require them to band together.
It may be plausible to split responsibilities for AFC teams or team members across multiple locations, in case one region is disrupted. This mitigates the risk that the whole team ends up in a self-isolation situation or ill, and helps ensure processes to meet obligations are still moving ahead. Tone from the top is key to executing successfully.
Enforce Procedures, Protocols With Clear Communication
As in any time of transition, internal communication is key. AFC leaders need to reiterate the scenarios in which AFC approvals are needed—such as for transactions to proceed—and that these approval requirements still stand regardless of COVID-19’s impact. This mitigates the risk that a deal maker within an organization will decide to bypass normal approval channels.
Ideally, this communication should come from senior management to set “tone from the top” that AFC is not a risk that can be overridden in times of crisis. If the likely impact of coronavirus is that it may take longer for AFC approval to be obtained, deal makers need to be reminded they should seek AFC approval soonest, not at the last minute, if they want their transaction to proceed on schedule.
In addition, clearly communicate with staff the controls in place to avoid fraudulent activity from occurring. Leaders should communicate the safeguards available to prevent such instances and remind staff of best practices.
For example, fraudsters may use social engineering to call, pretending to be a client needing access critical account information. There must be controls in place to “trust, but verify.” What’s more, fraudsters may look for opportunities to exploit fragmented teams, aiming to access systems through nefarious tactics.
An example would be a phishing campaign, playing to the anxieties of the coronavirus. This type of campaign could encourage employees to enter vital security credentials to access an “update” from their firm on crisis plans and protocol, unknowingly enabling bad actors to use these credentials to infiltrate the system. To mitigate either scenario, organizations must communicate regularly about protocols and procedures, ensuring employees have the resources to gauge authenticity.
With Limited Resources, Leadership Must Prioritize
Even with mitigation measures in place, the reality is organizations will still face challenges when it comes to limited resources. Within AFC teams, senior management will need to prioritize ensuring key tasks that reduce financial crimes and compliance risk have enough resources.
How can leaders decide which areas to prioritize? The first step will be done by reference to the AFC risk assessment, which should highlight key risk areas in terms of jurisdictions, business divisions, and business activities.
This is one reason why a robust, independent, and meaningful AFC risk assessment is crucial. Most AFC teams must strike a balance between change and remediation projects and routine tasks that run the bank (such as escalations, approvals, periodic reviews, alert management). It may be that change and remediation projects (typically audit driven) need to be put on the back burner while teams focus on managing the day-to-day tasks of trying to minimize build-up of a backlog and managing key AFC risks.
It would be suboptimal for firms to end up with a backlog of alerts, as this may ultimately trigger additional regulatory scrutiny. However, this needs to be balanced against remediation projects where there are regulatory commitments, such as those to a regulator or monitor, as it is important to deliver on these in a timely manner.