Financial institutions have long suffered from the twin problems of high transaction-monitoring alert volumes and incomplete or low-quality data. Even before the COVID-19 pandemic, these challenges posed a constant risk to institutions by threatening to overwhelm compliance staff and making it difficult to implement an enterprise-wide risk-based approach. The challenges brought on by the pandemic have only further exacerbated these problems by changing workplace dynamics, customer behavior, and the threat situation. Now is the time for financial institutions to make the enterprise-wide risk assessment process more dynamic so that it can match the rapidly evolving risk environment.

Financial Institutions and COVID-19: The New Normal

Changes to the global economy brought on by the pandemic have caused many companies around the globe—including financial institutions—to alter the ways they work as well as the way they interface with customers and others. Further complicating these changes for financial institutions is their regulatory compliance burden, which has not changed. Financial compliance departments are thus facing a multitude of new challenges:

• Compliance staff are working from home, exposed to new distractions and security challenges.
• All customers are relying more on non-face-to-face relationships, with retail and small to medium enterprise customers in particular increasingly turning to digital transactions, such as mobile banking.
• Corporate customers are transacting with new geographies and counterparties as they try to rebuild frayed or depleted supply chains.
• New threats and illicit finance typologies are emerging as bad actors attempt to exploit the crisis by creating fake charities, peddling counterfeit or nonexistent products and cures, and attempting to defraud government-run assistance programs.

What do these challenges demonstrate to financial entities? It is no longer sufficient to examine enterprise-level risks once a year during the annual anti-money laundering (AML) and sanctions risk assessment process—financial institutions need more than a static snapshot of their exposure at a single moment in time. Current risk assessment processes are too often onerous and resource intensive while failing to equip financial institutions with the information they need to employ a risk-based approach that adapts to the evolving nature of these risks.

Shifts in customer behaviors and emerging COVID-19-related threats are triggering a high volume of false-positive transaction-monitoring alerts based on rules meant to identify deviations from expected behavior that may be suspicious. This further strains already stretched compliance teams and amplifies challenges related to the lack of complete and reliable data needed to fully understand expected customer behaviors and risk factors. As a result, pressure continues to build on the compliance controls in place to mitigate risk as traditional, static, rules-based transaction-monitoring systems are unable to adapt to the dynamic risk environment.

It is very easy for financial institutions to go into crisis management mode as they attempt to triage the increasing risks and alerts. However, even during a crisis like the current pandemic, it’s important not lose sight of how vital it is to take a holistic approach to enterprise-wide risk management to achieve a sustainable and efficient compliance program in the long term. If the current situation has vividly illustrated anything, it is that risks facing financial institutions are not static. Like the weather, risks change constantly in response to external elements such as customer behavior, geopolitical instability, technology, and pandemics, and internal factors such as resources and systems.

Changing How Risk Is Understood and Managed

Financial institutions should seek flexible and innovative approaches to understanding and managing risk. For entities that want to reexamine their approach, a good first step is to review the current risk assessment, as well as the data behind the assessment, and ask:

1. Have we clearly defined both the inherent risk factors in our assessment and the data sources that enable us to measure the inherent risks? For example, if geographic exposure is a risk factor used to assess the inherent risk of a line of business, financial institutions need to articulate the source of the geographic data (where a customer lives; where a business operates or does business) and have a defined process to extract the specific data information from its customer or transaction data.
2. Similarly, have we defined a specific mitigating control or group of controls for each inherent risk factor and identified both the data we will use to assess the control(s) and the source for that data? Institutions frequently rely on qualitative or largely anecdotal information from compliance teams to measure the strength of internal controls, whereas regulators place more value and credibility on more objective or quantitative data that can provide a more accurate and reliable evaluation of the strength of the control framework. Institutions must make every effort to minimize subjectivity in how the strength of controls is assessed if they want to meet regulatory expectations and—if they want to exceed those expectations—be able to provide documentation that demonstrates all the efforts taken to arrive at the final product.
3. Do we have the data we need, are we confident in its accuracy and completeness, and can it be accessed quickly? It is crucial that financial institutions identify the systems that can provide the data and have a defined process to extract the data that’s needed to complete the risk assessment. One way an institution can confidently and efficiently harness the existing data in their systems is to map it to specific risk indicators and/or controls via a tool such as a risk/control matrix. A transaction-monitoring system and its controls are a good place to start because they provide hard data that can be used to assess both risk exposure and the efficacy of controls.

Ultimately, the long-term goal of any global financial institution should be to have a dynamic and sustainable risk assessment process that provides a real-time or near-real-time view of its changing risk and control environment. Such a system helps an institution identify and rapidly adapt to emerging risks and determine if controls are weakening under strain while creating a continuous feedback loop that strengthens processes and controls.

The Rewards of Change: A Dynamic Risk Assessment Process

Ensuring that financial institutions can confidently and efficiently harness the data already within their systems and map them to identified risk indicators is critical to achieving this more dynamic view of risk in a sustainable way because it presents opportunities for automation and efficiency. Transaction-monitoring systems and controls are one important piece of the data puzzle because they are a key source of data for assessing both risk exposure and the efficacy of controls. To clearly see the full picture, however, financial institutions must also ensure the completeness, accuracy, and accessibility of data in other areas such as customer due diligence files and core banking and payment platforms.

Even in this time of crisis during which financial institutions are facing economic headwinds and struggling to keep up with a rising tide of false-positive alerts, it remains critical for financial institutions to invest in this long-term vision. An integrated approach to risk assessment and data management is critical to moving toward a more sustainable and effective enterprise-wide risk management program. Financial institutions should seize this moment, leverage the existing momentum of changes to processes and procedures, and take the opportunity to enhance the risk and control assessment process and address data challenges. An investment now will pay dividends in risk management and quality data in the future.