Outsourcing of AML Compliance: How Far Can a Financial Institution Go?
Call (305) 375-9220
Several banking giants, such as HSBC and Standard Chartered, are currently being investigated by US regulators for alleged failings in anti-money laundering (AML) compliance. All fingers point to lapses involving outsourcing units operating without adequate oversight.
There is some debate about how far a financial institution can go in offloading its AML compliance tasks to a third party. In other words, how hands-off can a financial institution be? Are there any tasks that should be kept in-house only? Outsourcing may seem to be a cost-effective and efficient way of managing AML compliance, but it can result in great disaster if not adequately monitored. For financial institutions, there are several important differences to note between AML outsourcing and other common outsourcing activities. AML compliance requires a higher level of training in contrast to standard outsourcing tasks. Legally, the financial institution is ultimately responsible for the quality of work executed by an outsourcing operation.
Banks seeking to save costs by outsourcing increasingly sensitive and sophisticated work overseas are now forced to step up oversight of their back office operations. Outsourcing the wrong tasks or not providing appropriate oversight exposes banks to legal risk, security risk, operational risk, and reputational risk, not to mention regulatory fines and potentially the disruption of business.
Activities that are appropriate for outsourcing companies are typically those that are low risk; meaning that they can be effectively and safely done by a non bank employee. For example, outsourcing companies are suitable to handle labor intensive but routine work including tasks such as customer due diligence, enhanced due diligence, verification of customer identification. Other activities that can be conducive to outsourcing might include alert reporting and notifications generated by automated transaction monitoring systems.
Notably, a financial institution remains responsible for all AML systems and controls related to outsourced activities. Therefore, financial institutions, in particular, are wise to review and address any and all risks, as well as their risk tolerance, before they even begin to think about outsourcing specific functions.
Activities that are not conducive to outsourcing are any that include the filling of sensitive reports. Filing sensitive reports is the obligation and responsibility of the financial institution and as such, are best completed by an employee of the financial institution. The targets of filings cannot be disclosed by a financial institution.
Transaction analysis is also considered the most sensitive part of the money-laundering detection process because it provides the underpinning for the filing of suspicious activity reports. Clearly, a third party is not even in a position to analyze transactions because it may not have access to all of the customer information, such as daily internet activity or loan files, which is essential in analyzing transactions.
Likewise, internal investigations of suspicious activities should be handled by the financial institution and should be approved by the board of directors of the institution. These types of investigations may involve employee interviews, finding and reviewing documents, and preparation of reports, all of which should effectively be kept highly confidential. Also, if a financial institution is confronted with a government investigation, it is recommended to immediately consult a legal counsel.
On the face of it, AML outsourcing may appear to be a win-win situation. But is everything really that simple? Can a financial institution simply find the cheapest supplier of services and watch the overheads fall? Nothing is simple in AML outsourcing. Assess what you outsource, avoid risk, and remember: the ultimate responsibility of AML compliance is in the hands of the financial institution. Responsibility can not be outsourced.
ABOUT THE AUTHOR: Arti Sangar
Seasoned international attorney in commercial dispute-resolution and arbitration matters. Also savvy in transactional matters: private equity investments, corporate-restructuring, M&A, major real estate development projects, commercial dispute management and employment issues. Enrolled as legal practitioner in Australia, India and Dubai International Financial Center. Regularly authors articles with Middle-Eastern emphasis and blogs at Emirates Business Law Blog, focused on business and law in the Middle East
Copyright Diaz Reus LLP
More information about Diaz Reus LLP
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.
Banks seeking to save costs by outsourcing increasingly sensitive and sophisticated work overseas are now forced to step up oversight of their back office operations. Outsourcing the wrong tasks or not providing appropriate oversight exposes banks to legal risk, security risk, operational risk, and reputational risk, not to mention regulatory fines and potentially the disruption of business.
Activities that are appropriate for outsourcing companies are typically those that are low risk; meaning that they can be effectively and safely done by a non bank employee. For example, outsourcing companies are suitable to handle labor intensive but routine work including tasks such as customer due diligence, enhanced due diligence, verification of customer identification. Other activities that can be conducive to outsourcing might include alert reporting and notifications generated by automated transaction monitoring systems.
Notably, a financial institution remains responsible for all AML systems and controls related to outsourced activities. Therefore, financial institutions, in particular, are wise to review and address any and all risks, as well as their risk tolerance, before they even begin to think about outsourcing specific functions.
Activities that are not conducive to outsourcing are any that include the filling of sensitive reports. Filing sensitive reports is the obligation and responsibility of the financial institution and as such, are best completed by an employee of the financial institution. The targets of filings cannot be disclosed by a financial institution.
Transaction analysis is also considered the most sensitive part of the money-laundering detection process because it provides the underpinning for the filing of suspicious activity reports. Clearly, a third party is not even in a position to analyze transactions because it may not have access to all of the customer information, such as daily internet activity or loan files, which is essential in analyzing transactions.
Likewise, internal investigations of suspicious activities should be handled by the financial institution and should be approved by the board of directors of the institution. These types of investigations may involve employee interviews, finding and reviewing documents, and preparation of reports, all of which should effectively be kept highly confidential. Also, if a financial institution is confronted with a government investigation, it is recommended to immediately consult a legal counsel.
On the face of it, AML outsourcing may appear to be a win-win situation. But is everything really that simple? Can a financial institution simply find the cheapest supplier of services and watch the overheads fall? Nothing is simple in AML outsourcing. Assess what you outsource, avoid risk, and remember: the ultimate responsibility of AML compliance is in the hands of the financial institution. Responsibility can not be outsourced.
ABOUT THE AUTHOR: Arti Sangar
Seasoned international attorney in commercial dispute-resolution and arbitration matters. Also savvy in transactional matters: private equity investments, corporate-restructuring, M&A, major real estate development projects, commercial dispute management and employment issues. Enrolled as legal practitioner in Australia, India and Dubai International Financial Center. Regularly authors articles with Middle-Eastern emphasis and blogs at Emirates Business Law Blog, focused on business and law in the Middle East
Copyright Diaz Reus LLP
More information about Diaz Reus LLP
View all articles published by Diaz Reus LLP
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.
