Cognizant Reports

Financial Crime: How Financial

Institutions Can Mitigate Risk and
Improve Compliance
Banks face dramatically higher operating costs and business
complexity, with the increased scope of financial crimes and
growing regulatory liabilities, highlighting the need for a more
integrated and unified approach to risk mitigation and compliance.

cognizant reports | may 2016

Executive Summary
Top financial industry executives are increasingly concerned about the rising sophistication
of financial crimes, including money laundering,
terrorism financing, cybercrime, fraud, tax evasion, bribery and internal threats from employees. At the same time, the number of banks being
penalized for regulatory and sanctions violations
in the U.S., the UK, the European Union and elsewhere has spiked in recent years, demanding
greater transparency, responsibility and compliance. Furthermore, the increase in extra-territorial enforcement of U.S. laws and reciprocation
from other countries has amplified compliance
challenges, vastly increasing the cost and complexity of doing business.
Banks have made huge investments in risk and
compliance management, but their fragmented
approach to financial crime has had limited
success in staving off threats and meeting regulatory requirements. This has resulted in increased
violations and money spent on regulatory
compliance.
Clearly, banks need to refresh their approach to
handling financial crime and regulatory compliance. We recommend six key steps to help banks
adapt to the ever-changing criminal and regulatory landscape.

Conduct

a risk assessment based on the

banks products, services, geographies and
clients to better understand the threat environment.

Integrate the efforts of various disciplines

involved in financial crime prevention across
the organization to identify synergies and

overlaps in people, processes and technologies; this will help reduce redundancies and
streamline processes.

Improve the availability and quality of data

to support real-time transaction monitoring

and advanced analytics.

Apply advanced analytics to gain a holistic

view of threats and the entities that cause

them; this will help uncover complex and subtle threats, as well as emerging ones, early and
effectively.

Nurture a culture of high ethics and integrity

by setting accountability standards, establishing controls and policies, working closely with
regulators and increasing employee awareness.

Actively

participate in the industry-wide

initiatives undertaken to mitigate risk and
improve compliance.

The Growing Burden of Financial Crime

and Regulatory Compliance
Criminals are more sophisticated than ever when
it comes to financial and cybercrime, and banks
are struggling to catch up. Meanwhile, increased
regulatory demands for transparency and compliance, as well as hefty penalties for non-compliance, have put enormous pressure on banks, both
financially and operationally.
Rising Threats
A number of drivers including globalization,
the proliferation of banking channels, rising
transaction volumes and accelerated technology advancements (i.e., new digital tools and
intelligent automation) have introduced new

Single Biggest Barrier to Fighting Financial Crime Effectively for UK Banks

10%

Evolving criminal methodologies

10%

Cost of AML compliance

42%

10%

Lack of personnel in risk function

Civil prosecution/class actions

11%

Geo-political events
15%

Sectoral sanctions

Base: 198 senior-level financial crime and AML compliance professionals

Source: The British Bankers Association and LexisNexis, November 2015
Figure 1

cognizant reports

opportunities for financial malfeasance. Criminals continuously probe banking organizations

defenses through innovative algorithms and
complex schemes across channels and vectors;
banks must also guard against internal employee
threats (see Figure 1, previous page).

In response to the 2001 terrorist attacks, the U.S.

significantly expanded the scope of laws governing money laundering, bribery and fraud and
applied them extra-territorially; the European
Union and the UK followed suit. The EUs AntiMoney Laundering Directive (AMLD 4) which
will be implemented by member states starting
June 26, 2017 requires financial institutions
to continuously identify, evaluate and document
risks related to money laundering and terrorist
financing; report suspicious transactions made by
their clients; and maintain records of payments.

Big banks are not the only targets; small banks

are easy prey for criminals, as many lack robust
systems to fend off threats.
Heightened Regulatory Scrutiny and Surging
Compliance Costs
Regulators across the globe have intensified
their scrutiny and are assessing heavy fines to
banks that fail to adopt adequate defenses or
that violate the Banking Secrecy Act/Anti-Money
Laundering (BSA/AML) program. Between 2007
and 2014, banks paid about $21 billion in cumulative anti-money laundering (AML) fines alone in
the U.S.1

Sanctions compliance is another major challenge

for global banks as they strive to keep pace with
a dynamic sanctions list comprising individuals, countries and institutions, separately maintained by the EU, the U.S. and organizations such
as the United Nations. Banks must also keep up
with lists for AML, tax evasion and other forms
of crime. The growing list of individuals and entities to be screened has put pressure on banks
transaction screening systems, increasing the
number of false positives generated. U.S. authorities have clamped down on foreign banks for lax
controls over financial crime and sanctions; European banks are most affected by this crackdown
(see Figure 3, next page).

Banks are continuously challenged by emerging

AML compliance requirements (see Figure 2).
This includes the long-awaited beneficial ownership rule from the Financial Crimes Enforcement
Network (FinCEN), expected to be finalized this
year, which will require banks to verify and identify the true owner of companies behind financial
transactions. Banks will also need to understand
the implications of the ongoing assessment of
the U.S. Anti-Money Laundering/Combating the
Financing of Terrorism (AML/CFT) framework
developed by the Financial Action Task Force
(FAFT).

In the UK, the Financial Conduct Authority (FCA)

has increased its scrutiny and updated its guidance on financial crime prevention. The move was
based on a 2014 review of 21 small banks, which
found significant weaknesses in the AML systems
and controls in high-risk situations at most banks;

AML Compliance Challenges in the Next 12 Months

58%

Increased regulatory expectations and enforcement

40%

Having enough properly trained AML staff

37%

Additional regulations

36%

Insufficient/outdated technology
25%

Too many false positive screening results

20%

Sanctions compliance

18%

Understanding regulations outside home country

16%

Formal regulatory criticism

Fear of personal civil and criminal activity

11%

Lack of senior management/board engagement

10%

Understanding regulations in home country

8%

Base: 812 AML, BSA and/or compliance executives

Source: Dow Jones and ACAMS, 2016
Figure 2

cognizant reports

additionally, staff at one-third of the banks lacked

awareness of AML and sanctions risks.2
Further, regulators want banks to take greater
responsibility for preventing financial crime and
reporting suspicious activities. In response, banks
have made efforts to enhance their transaction
monitoring systems, acquire greater knowledge
about customers and their transactions, and
recruit people with expertise in risk investigation
and compliance.

Challenges of Fighting Financial Crime

Keeping up with accelerating regulatory change
is proving difficult for banks, but non-compliance
can be even more costly. Costs include monetary
fines, remediation, termination of business lines
and temporary or permanent restrictions on selling certain products, not to mention the unquantifiable impact of investor dissatisfaction and
reputational damage to the brand.

The shortage of trained compliance specialists

and the increasing responsibilities of compliance
professionals who assimilate an average of 167
regulatory alerts per day, a sharp increase from 68
a few years ago are forcing banks to offer higher
salaries to find and retain the best talent. This
has vastly increased costs, with the largest global
banks spending about $4 billion a year on compliance.3 Amid demands from customers and investors to lower costs, global banks have terminated
certain products, services and customer relationships in high-risk segments and geographies.

Banks have invested heavily in strengthening

security and meeting compliance demands, but
such efforts are undermined by their piecemeal
approach to dealing with
financial crime. Risks such Banks have
as money laundering, cyberinvested heavily
crime and fraud are traditionally handled independently in strengthening
by various organizational security and
functions. Each has its own
meeting compliance
tools, systems, processes
and compliance mechanisms, demands, but
with minimal communication such efforts are
among them.

For resource-constrained small- and medium-size

banks, regulatory compliance has become a particular concern, with costs at many banks spiraling out of control. Many of these institutions have
not updated their compliance programs, especially for BSA/AML, although they are held to the
same expectations as their larger counterparts.

This fragmented approach

has resulted in duplication of
data, technology and efforts,
resulting in rising costs.
The largest global banks spend an estimated
$1 billion to $1.5 billion annually on financial crime
compliance.4 Without consolidated data from

undermined by their
piecemeal approach
to dealing with
financial crime.

Major Fines Applied to Foreign Banks for U.S. Sanctions Law Violations
Bank

Year

Fine (in $ million)

BNP Paribas (France)

2014

8900

Standard Chartered (UK)

2013

667

ING (The Netherlands)

2012

619

Credit Suisse (Switzerland)

2009

536

ABN Amro (The Netherlands/UK)

2010

500

HSBC (UK)

2012

375

Lloyds (UK)

2009

350

Commerzbank (Germany)

2015

342

Bank of Tokyo Mitsubishi (Japan)

2014

315

Barclays (UK)

2010

298

Deutsche Bank (Germany)

2015

258

Bank of Tokyo Mitsubishi (Japan)

2013

250

Clearstream (Luxembourg)

2014

152

Royal Bank of Scotland (UK)

2013

100

Source: Council on Foreign Relations, April 2015, and The Guardian, November 2015

Figure 3

cognizant reports

multiple channels and geographies, it is also more

difficult to identify suspicious activities or gain a
unified view of organization-wide risk.
The challenge for banks is to enhance their ability to detect, prevent and report financial crime
while containing spiraling regulatory and compliance costs.

Six Steps to Fighting Financial Crimes

There is no silver bullet to preventing financial crime. Banks must take a series of steps to
become more adept at fighting threats and navigating the complex regulatory landscape. Organizations can begin by conducting a comprehensive
risk assessment, and then integrating the various financial crime prevention efforts across the
organization to remove silos, improve the quality
and availability of data, and create a culture of
data-driven decision-making.
1. Tailor the Risk Management Approach
The key to developing and applying adequate controls is becoming knowledgeable about the risks
themselves and the business areas they impact. A
risk assessment should then be carried out based
on the organizations size, channels, geographies,
customer types and product and service complexity (e.g., risks for wealth management products
can arise from high-value transactions, politically
connected individuals, multiple jurisdictions and
banking secrecy). By mapping these risks against
internal policies, procedures and controls, banks
can assess their effectiveness in mitigating risks,
and fine-tune them accordingly. A periodic review
of the risk assessment should be conducted to
ensure relevancy.
2. Address Silos
There is a wide spectrum of financial crime types,
including money laundering, terrorist financing,
fraud and cyberattacks. Intrusions, however, often
go unnoticed, as these disciplines often operate
in silos. To more effectively manage the growing
sophistication of crimes, banks are increasingly
focused on tightly integrating or merging the various internal functions tasked with financial crime
prevention. However, some experts warn about
the risks of such integration as it can increase
vulnerability to cyberattacks, and instead recommend improving communication and coordination among the teams.5
We believe banks should start by integrating
transaction monitoring in their cybercrime and

cognizant reports

AML disciplines to see the A cyberattack alert

benefits for themselves, since
these teams face similar types by the cybersecurity
of challenges, and typically team will enable the
overlap in terms of processes, AML function to
systems and data requirements. For example, if a cyber- tighten transaction
attack occurs that involves the scrutiny and prevent
theft of online customer data, money laundering,
the team within the AML discipline could provide complete while the fraud
details of all suspicious activi- prevention team can
ties flagged by its transaction take steps to ensure
monitoring systems. These
details could then be used the stolen customer
to cross-check any surge in data is not monetized.
e-commerce purchases, wire
transfers, ATM withdrawals or similar transactions, thus detecting and preventing criminals
from using the stolen data.
Similarly, a cyberattack alert by the cybersecurity team will enable the AML function to tighten
transaction scrutiny and prevent money laundering, while the fraud prevention team can take
steps to ensure the stolen customer data is not
monetized, as well as investigate insider activity.
The sooner the information is passed to the other
teams, the more time they have to prevent the
crime or identify the perpetrators.6
This type of collaboration will help banks gain new
efficiencies in transaction monitoring and investigation, plug security gaps, reduce redundancies,
streamline processes, innovate and build models
that can identify and prevent even sophisticated
crimes effectively, which can go a long way toward
reducing costs and limiting financial damage.
3. Overcome Data Challenges
The key to integrating multiple risk efforts lies
in the banks ability to get high-quality and consistent data from across the organization. This is
no easy task for large banks, many of which have
accumulated multiple systems and technologies
over the years through mergers and acquisitions.
Standardizing large volumes of customer, transaction, crime and other unstructured and semistructured data from across the organization
can be a challenge, as is encouraging employees
to comply with internal standards and practices
when entering data. However, doing so can significantly improve the overall data quality and accuracy needed to support real-time monitoring and
data-driven decision-making.

4. Embrace Analytics
Combining effective data management with
advanced analytics is essential for detecting and
preventing growing threats. By collecting and
analyzing the massive volumes of current and historic data within the organization (across all lines
of business) and from external agencies providing
financial crime data, banks can gain a comprehensive view of customers and transactions, as well
as insights into relationships between various
entities that previously went unnoticed. Through
analytics, banks can better understand the risks
posed by customers, transactions and other entities, and discover complex threats that impact
multiple lines of business.
For instance, a transaction that appears legitimate in one channel may appear suspicious
when viewed holistically. Forensic data analytics
will help banks identify and predict risk patterns
and issues in advance, enabling them to pre-empt
criminal activity, particularly insider threats and
data breaches that involve gaining unauthorized
access to sensitive data.
5. Address Culture and People Challenges
The tone set by senior management is key to driving an organizations crusade against financial
crime. Senior bank officials need to set accountability standards, establish policies and controls,
promote transparency by working closely with
regulators, provide incentives for promoting compliance, and show zero tolerance toward potential
internal and external risks.
Organizations should also grow their awareness
of emerging threats, such as risks posed by virtual currencies and new channels and technologies. Employees should be trained and updated on
the latest regulatory developments and emerging
risks, and be sensitized to the various ways criminals can exploit them. High-risk users, such as
contractors, suppliers and employees with access
to sensitive organizational data and information,
must be monitored and analyzed continuously for
suspicious behavior or use of technology.
6. Collaborate with Industry-wide Initiatives
While banks have invested heavily to improve
their compliance programs, evolving regulations
have hindered them from developing a sustainable and scalable solution. Individual banks have
developed proprietary solutions, with no industrywide standards or best practices to guide them,
resulting in duplicate efforts across the industry
and accelerating compliance costs.
cognizant reports

Banks need to move toward

a more collaborative and
unified approach, similar to
what exists for international
trade confirmation and settlement. Doing so would address
skill shortages, facilitate the
creation of standards and
best practices and foster
innovation.7

A transaction that
appears legitimate
in one channel may
appear suspicious
when viewed
holistically. Forensic
data analytics will
help banks identify
and predict risk
patterns and issues
in advance.

By collaborating with law

enforcement agencies and the
government, banks can also
take the fight against financial
crime to the next level. A case
in point is the UKs Joint Money Laundering Intelligence Taskforce (JMLIT) initiative, a one-year
pilot started in February 2015 by the government,
banks, law enforcement agencies and others. The
task force, expected to become a permanent institution, was set up to study the scale and methods
employed in money laundering, suggest remedial measures and improve intelligence-sharing
across parties.8

Looking Forward
Fast-evolving financial crime and regulatory uncertainty impacts banks of all sizes and warrants a
proactive approach. Large banks with multiple
lines of business must focus on integrating various
crime prevention disciplines and building a culture
that supports data-driven decision-making. Banks
should consider hiring former military and law
enforcement intelligence officers with expertise in
analytics to proactively identify trends in transactions with links to terrorist organizations.
Small banks can seek technology and talent
resources from businesses that specialize in
cybercrime to avoid the high costs of procuring,
maintaining and updating technology, as well as
attracting and retaining people with needed skills,
while also gaining the flexibility to offer new products and services and enter new business areas.
This is significant as small banks are beginning
to adopt new business lines or product segments
that larger banks have exited due to higher BSA/
AML compliance risks.9
Improving collaboration within the banking industry, as well as with regulators and law enforcement
agencies, will result in targeted efforts to prevent
crime, improve compliance, alleviate talent constraints, contain costs and resolve other challenges.

References

What Are Economic Sanctions? Council on Foreign Relations, April 8, 2015,

http://www.cfr.org/sanctions/economic-sanctions/p36259.

New EU Anti-money Laundering Directive to Come into Force From 26 June, Out-Law,

June 10, 2015, http://www.out-law.com/en/articles/2015/june/new-eu-anti-money-laundering-rulesto-take-effect-from-26-june/.

Luc Meurant, Industry Should Pull Together to Combat Financial Crime, Financial News,

October 12, 2015, http://www.efinancialnews.com/story/2015-10-12/industry-should-pull-together-tocombat-financial-crime.

"Guidance for a Risk-based Approach: The Banking Sector," Financial Action Task Force, 2014,

http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf.

Footnotes
1

AML and Sanctions Enforcement The Price of Dirty Money, CEB TowerGroup, 2014,
https://www.cebglobal.com/content/dam/cebglobal/us/EN/best-practices-decision-support/financialservices/images/infographics/fs-tg-cb-anti-money-laundering-2014.pdf.

How Small Banks Manage Money Laundering and Sanctions Risk Update, Financial Conduct
Authority, November 2014, https://www.fca.org.uk/news/tr14-16-how-small-banks-manage-moneylaundering-and-sanctions-risk.

Banks Face Pushback Over Surging Compliance and Regulatory Costs, The Financial Times,
May 28, 2015, https://next.ft.com/content/e1323e18-0478-11e5-95ad-00144feabdc0.

Future Financial Crime Risks: Considering the Financial Crime Challenges Faced by UK Banks,
The British Bankers Association and LexisNexis, November 2015, https://www.bba.org.uk/wp-content/uploads/2015/12/Future-Financial-Crime-Risks-DIGITAL-final.pdf.

Brett Wolf, Link Cyber and Anti-money Laundering Units, But Do Not Combine Them Experts,
Reuters, March 30, 2016, http://blogs.reuters.com/financial-regulatory-forum/2016/03/30/linkcyber-and-anti-money-laundering-units-but-do-not-combine-them-experts/.

"The Convergence of Anti-Money Laundering and Cyber Security," K2 Intelligence, November 2015,
https://www.k2intelligence.com/wp-content/uploads/2015/10/2015-10-20-ABA-The-Convergance-ofAML-and-Cyber-Security.pdf.

Luc Meurant, Financial Crime Compliance: The Case for an Industrywide Approach, American
Banker, August 18, 2014, http://www.americanbanker.com/bankthink/financial-crime-compliancethe-case-for-an-industrywide-approach-1069406-1.html.

Joint Money Laundering Intelligence Taskforce, National Crime Agency, February 2015,
http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/economic-crime/joint-money-laundering-intelligence-taskforce-jmlit.

Daniel S. Alter, How to Lighten Community Banks AML Compliance Load, American Banker,
May 14, 2015, http://www.americanbanker.com/bankthink/how-to-lighten-community-banks-amlcompliance-load-1074307-1.html.

cognizant reports

Credits
Author and Analyst
Vinaya Kumar Mylavarapu, Senior Researcher, Cognizant Research Center

Subject Matter Experts

Henry Shiembob, Cognizant Chief Security Officer, Corporate Security
Daniel Smith, Cognizant AVP, Corporate Security

Design
Harleen Bhatia, Research Manager
Hari Kuppala, Senior Designer

About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the worlds leading companies build stronger businesses. Headquartered
in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep
industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With
over 100 development and delivery centers worldwide and approximately 233,000 employees as of March 31, 2016,
Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked
among the top performing and fastest growing companies in the world.
Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

World Headquarters

European Headquarters

India Operations Headquarters

500 Frank W. Burr Blvd.

Teaneck, NJ 07666 USA
Phone: +1 201 801 0233
Fax: +1 201 801 0243
Toll Free: +1 888 937 3277
Email: inquiry@cognizant.com

1 Kingdom Street
Paddington Central
London W2 6BD
Phone: +44 (0) 20 7297 7600
Fax: +44 (0) 20 7121 0102
Email: infouk@cognizant.com

#5/535, Old Mahabalipuram Road

Okkiyam Pettai, Thoraipakkam
Chennai, 600 096 India
Phone: +91 (0) 44 4209 6000
Fax: +91 (0) 44 4209 6060
Email: inquiryindia@cognizant.com

Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is
subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

Codex 1949