How BNP Paribas specifically categorizes and monitors high risk transactions
Colleagues:
On May 13th, James McGinnis, a Managing Director that heads the U.S. anti-money laundering compliance effort for BNP Paribas and an affiliated broker-dealer, delivered a presentation on how a globally regulated financial institution specifically categorizes and monitors
high risk transactions.
- WHY ARE WE MONITORING?
- WHAT ARE WE MONITORING?
- HOW ARE WE MONITORING?
- DOES IT WORK? (Most important question)
Below is a brief re-cap of Mr. McGinnis's thoughts and insights on the issues above.
WHY ARE WE MONITORING?
To protect one’s institution against bad guys, e.g. money launderers, sanctioned parties, terrorist financiers. In BNP Paribas's case, they also worry about OFAC, European Union and various other international sanctions because they are a European bank.
One needs to distinguish between interdiction and monitoring. Interdiction stops transactions from transpiring by blocking or rejecting them; this is
the main issue for OFAC.
Monitoring, on the other hand, is the review of transactions after they have occurred so as to identify patterns and ultimately take action by filing a suspicious activity report (SAR) or perhaps even closing the account.
Screening places the focus on customer identification upfront. Those were the three differences derived from a Wolfsberg statement a number of years ago.
(See link to Wolfsberg Statement - Guidance on a Risk Based Approach for Managing Money Laundering Risks below.)
The second reason why financial institutions should monitor transactions is to protect themselves against regulators. Having said that, it is important to realize there are two goals that may or may not be entirely consistent. Certainly the way one documents and handles issues varies. The regulators are going to focus on policies and procedures. They will expect financial institutions to have automated systems. There are some areas not amendable to automated systems such as
Trade Finance where there may not be a lot of
automation in the processing of transactions; hence,
there are no automated hooks into the dataflow.
Of course, regulators also expect training. Training is nominally risk-based. Financial institutions should train all employees, just to be on the safe side. The highest risk areas should have additional training.
Recordkeeping is always a big issue for the regulators. One doesn't get credit for things one doesn't have a record of. Thus, the reason BNP Paribas put a lot of effort into their monitoring system, making sure they have an effective review of transactions which they can document for auditors and regulators.
Consistency is another big issue. Both internal and external auditors and regulators will spot if one handles a situation one way, then handles a similar situation a different way another time. Therefore, it is crucial that one deals with circumstances and problems in the same manner every time.
The FFIEC Manual is the bible for all of this, the document the examiners will
http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2007.pdf
have in their hands when they come to audit your firm. This Manual should be referenced frequently by financial institution’s analysts or investigators because the examiners will be doing just that.
Are risk-based programs a myth? There's a lot of lip service paid to risk-based programs. As a practical matter, every program has to be risk- based to a degree. One can't look at every transaction, and give it the same focus. Nonetheless, the risk-based analysis and the risk assessment are in the regulator’s mind, and as a regulatory practice, has achieved something of a life of its own.
Think for a moment about OFAC. That is a strict liability rule. Listen to OFAC officials talk; they are very clear about that. If one processes a violative transaction, one will likely have a problem. One has to have an obligation to stop those violative transactions. In BNP Paribas' case, upon the urging of their regulators, they utilize OFAC interdiction monitoring on just about every name that comes into their firm. Their fund transfers are screened. Their employees are screened. Their customers are screened.
Their vendors are screened. They haven’t had a true hit on an employee, a vendor or a customer, yet they are required and expected to do that. BNP Paribas is also expected to do an OFAC risk assessment to rate the risk of all these entities. No matter how low the risk rating is, they still wind up doing it.
This is also true when it comes to monitoring, although they take great pains to assess their transactions for risk. And producing a rated risk assessment for each product line. They also endeavor to monitor every product line to the degree that they can because the risk here is a reputational risk rather than a financial risk. So what is reputation worth? It is priceless.
In terms of the actual analysis of their risk, BNP Paribas uses a risk matrix that they developed particularly for customer onboarding. They apply it to other areas, too, when they can. It considers three factors:
-Client's business activity: If the client is in one of the designated high risk businesses such as foreign correspondent banking or money remitter, car or boat dealers, jewelry dealers...etc., the client would be considered high risk. BNP Paribas uses a scale of one to five. They will try to identify every business line they can think of, and put it on that scale.
-Client geography: This is in regard to the country the client comes from. BNP Paribas uses a three part scale. They consider the country they are dealing with; where the client is incorporated in; and where the client's principal business is in or a corporate counterparty is in. Of these three countries, they use the highest risk score of the three. They have a matrix country risk that they created based on various factors: transparency;
international; non-cooperative countries; and so forth.
- Products risks: Those are products that represent long term investments. Equity trades, for example, has a lower risk than shorter term investments and products that can be used to readily transfer value.
BNP Paribas developed and composed a risk score matrix that weighs the following factors:
Client's business activity: 55%
Client geography: 30%
Products risks: 15%
Since the abovementioned is somewhat relative and arbitrary, BNP Paribas has a governance process around determining these issues. In their case, there is the Anti-money Steering Committee for the U.S. Territory; it meets on a regular basis to approve things such as determining this type of weighting. And if people ask how they arrived at certain decisions, they’re be able to explain that they made recommendations and made a presentation to the committee, and the committee in turn decided on the weightings.
The importance of this type of governance should be highlighted because, in so many of these situations, it is impossible to point to an objective criteria for making
decisions. When one has a strong governance process, one has a mechanism justifying the decisions, even if the process is somewhat subjective.
BNP Paribas also have a couple of special considerations that boost a counter-party risk rate transaction. For example, the involvement of a PEP or a foreign correspondent bank or some category outside of the three basic criteria.
WHAT DO WE MONITOR? As much as one can possibly can.
BNP Paribas executes fund transfers, a primary focus for them since they are the U.S. dollar clearing agent for the global BNP network. A client can walk into a Paris branch and wire dollars to his uncle in Yugoslavia. The transaction goes through the New York branch of BNP Paribas, and is subjected to their monitoring mechanism.
BNP Paribas also screen ACH payments. They unbundled them in order to screen the details when they act as agent for payments. One can accomplish the same thing that one can with an ACH that one can with a SWIFT. The only
difference is the certainty and timing of the payments.
Then again, if you are a money launderer, you probably don't care about that so much. We have exactly the same criteria and methodology for ACH payments as
SWIFT payments.
BNP Paribas traditionally have not been an ACH vendor.
They started relatively recently, and have an extremely low volume unlike most institutions. Due to their low volume, BNP Paribas are able to simply unbundled the payments rather than just process the lump payments. They look at the details and subject them to the same algorithm that normally used for fund transfers. The most effective ones are rules based. With the latter, if the system picks transactions such as multiple originators to a single party over certain parameters, or single beneficiary from
multiple originators over different parameters, it will trigger alerts.
Another type of ACH monitoring that BNP Paribas also
do --and which most institutions should be monitoring in ACH-- is look at the returned items. They have seen some evidence of fraudulent attempts to hit accounts there, not by their customers, but by their customers having been victims of people sending originating bogus debits.
BNP Paribas looks at Capital Markets transactions. They look at Trade Finance. With Trade Finance transactions, it is a manual process. They are looking at the extent that they can see details, the underlying transaction. They are not looking at the actual Letter of Credit. They are not looking at the payment under the Letter of Credit so much as they are looking at the transactions themselves with an effort to determine appropriate pricing. They see if there's evidence of inappropriate money movement. It is very difficult to determine pricing for a lot of commodities.
Insider trading: Some of the Capital Markets products are monitored through exception reports coming from the operating system. They are in the process of rolling out the same automated system for all of the Capital Markets products, though it will take a while before it’s finished. They are also thinking of combining the
AML Team with the Capital Markets Monitoring Team
because of an efficiency to be derived from such a merger.
BNP Paribas review checks. Again, they clear relatively few checks. What they are looking at are the returned items and the exceptions. And, actually, they generate quite a few SARs (percentage-wise) out of returned checks, counterfeit checks that have been presented to them by their cash management department. In most of those cases, they can't tell if their customers are the perpetrators or the victims. In most cases, they are probably innocent victims, but somebody, somewhere, has committed a crime when there is a counterfeit check or a forged instrument presented, and so they will report them.
BNP Paribas look at third party payments, easy to overlook, particularly in the FX area (foreign currency transactions).
One deals with a customer buying yen for US dollars, and it seems like a straight forward transaction, not much different from an investment transaction. But then they want the yen delivered to one of their suppliers or some third party. So BNP Paribas will look at those transactions, too, because one can accomplish a movement
of funds just as one would a SWIFT transfer except it is across currencies.
They also look at their vendors and employees, mostly for OFAC but also for payments. In some cases, they do wire international funds for their employees or make FX transactions.
HOW DO WE DO IT? Well, there's manual monitoring which the regulators are not fond of, but some pieces such as Trade Finance have to be done manually.
The main effort is focused on their automated systems.
BNP Paribas have one system that they use for funds transfers and bank transactions. They have another automated system used for Capital Markets. Overlying that is a case management system so the work is generated in the basic system if they can't be immediately resolved, and will be referred to the case management system to be
worked on there.
BNP Paribas has a couple of interdiction systems. They
all start with the source lists: the SDN list; the OFAC sanction country lists; the European sanctioned country lists and the local sanctioned country list.
They use various algorithms. The three basis methodologies are as follows:
Stop descriptors - All one needs to do is take the list and perhaps enhance it. Thus, if one has a John Doe on the list, one inputs John Doe; Johnny Doe; Jonathan Doe; and try to identify other specific names and specific descriptors that might match.
And then there's the phonetic matching system that has varying degrees of sophistication that try to pair up and identify the phonetic misspellings and variations of the more sophisticated ones such as Arabic phonetic rules and transliteration rules.
Lastly, there's the fuzzy logic approach that tends to get approximate phonetic matches.
Monitoring systems
BNP Paribas's monitoring systems has three basic set of rules.
Rules based such as more than "X" transactions in "Y" days.
Change based systems are the most common ones. This compares the current activity with past activity. Some
are extremely simple; tally up the dollar amount of transactions from last month, and compare it with the current month, or use a twelve month rolling average, or six month rolling average. Or one criterion for twelve months and different criteria for six months. Some are much more statistically complicated, though the basic premise is that the current activity differs from prior activity. Mr. McGinnis is somewhat skeptical of this last one, at least in a wholesale environment. He believes in an institutional environment that basic premise probably make sense. He disagrees with the underlying premise: that money laundering is more volatile than legitimate activity. Mr. McGinnis believes that, in the institutional world, there are a great many factors for volatility to appear in an account other than because of a nefarious reason. Market conditions or new businesses could be why there was a jump in volume. i.e., Airbus receiving a new contract for a fleet of planes.
Which brings us to the third set of rules: Some systems claim various degrees of artificial intelligence. Probably the most effective approach are systems that learned from previous activity of clearing alerts. For example, a particular type of alert for volatility has changed by two standard deviations for account X this month. Next year, the system remembers this occurred; thus, this will become the seasonal factor, or the threshold will raise every time an investigator clears an alert that he or she found not to be problematic. However, every time an investigator finds an alert that he or she filed a SAR on, the system will lower the threshold.
All of the above leads us to the big question: Does it work?
Interdiction is conceptually pretty simple unlike finding money laundering transactions or trying to figure what is terrorist financing. With interdiction, one has the listed names published by OFAC and the European Union. Around the globe, BNP Paribas uses at least three different systems. Some are proprietary and some are vendors. As a test, what they did was take one day of about twenty thousand dollars in fund transfers cleared through their New York network. BNP Paribas usually use different tools for different pieces, but with this test, they applied the same tools for that day to the same data. The results?
There was a surprising lack of overlap. Of the six thousand alerts that were generated via the different algorithms: Phonetic (460); Stop Descriptor (1008) and Fuzzy Logic (5529), only 176 were flagged by all three. (See page 8 for the diagram.)
That day, BNP Paribas knew there was one transaction that should have been interdicted, one out of the twenty thousand that they actually stopped and reported to OFAC. Fortunately, all three systems caught that one; flagged in the middle of the 176 transfers. In actuality, out of that day, only one of the 6000 alerts was a true
hit, in the sense that it was a transaction that had to
be rejected.
Bear in mind that if a payment is eventually released, it does not necessarily mean that the filter was defective. For example, a payment with the reference field; "payment for Cuba" would have to be stopped and investigated. If the investigation revealed that the payment was going the actor Cuba Gooding, it would be released. A false positive but through no fault of the filter.
The interesting thing is that there was so little overlap among the above-referenced filtering tools. Even though they were all supposed to be working from the same lists, the end results were very different. So, how does one account for the differences? It could be one system is using a slightly flawed list, in that certain OFAC entities were not promptly updated. Or they may have a system that eliminates certain common nicknames found on OFAC's list. The truth of the matter is, each of the systems generates a lot of false positives, and to a greater extent, each generates different false positives.