Regulators may require a financial institution to perform a transaction review of historical activity, often referred to as a “lookback,” when they determine that the financial institution does not have an adequate transaction monitoring program and/or has not evidenced sound decision making in determining whether transactions are suspicious or not. The scope of the lookback may span from six months to multiple years. Often, the regulators will mandate that the financial institution engage an independent third party to perform the lookback.
Lookbacks are time-consuming and costly and often perceived by the industry as punitive exercises that provide little real value to an institution. If your institution is facing a lookback, consider the following lessons learned for maximizing efficiency and value.
- Select the right party: If you are required to engage an independent third party, make sure you select a firm that will be credible with the regulators (who often will need to provide a non-objection), that it has lookback experience comparable to the scale of your lookback, and that it understands the customers you serve, the geographic markets in which you engage, and the products and services you offer. If the third party you are considering does not meet these criteria, choose another firm.
- Understand the approach: Ask the third party how it will approach the lookback to achieve maximum efficiency – for example, what transaction data will and will not be in scope, how it will produce alerts, how it will triage and assign alerts for review, what documentation will be developed and where this documentation will be stored, and what will the final deliverables be. If the third party cannot readily respond to these questions, consider another firm.
- Be candid and open about the challenges: If you know from your own experience that the third party is underestimating the number of potential alerts, that certain information (check details, for example) will be challenging to retrieve, or that certain customers/counterparties are likely not to be cooperative in responding to questions because of, for example, privacy laws in their home country or because you terminated your relationship with them subsequent to the lookback period, tell the third party. This will help ensure that they build a realistic project plan and timetable.
- Get regulator buy-in: Whether it is explicitly required or not, ask for the regulators’ feedback on the planned approach and deliverables. This will help ensure that the lookback methodology and final deliverables will align with regulatory expectations.
- Ensure availability, access and understanding of data: Invest time at the beginning of the project to ensure that the third party performing the lookback has access to all required systems (core systems, transaction monitoring systems, know your customer [KYC] systems, etc.) and take the time to explain these systems and their configurations (for example, are there products that are not included in your transaction monitoring system, are certain transaction codes suppressed in the system, do you use “white lists,” how are accounts linked?). Doing this upfront will minimize the potential that the party performing the lookback will form opinions based on flawed or incomplete data or lack of understanding of the data, or that work will need to be re-performed because the wrong or inadequate data was used.
- Establish and communicate operating protocols: Effective and timely communications will be critical to meeting the lookback project timeline. Make sure you and the third party are on the same page with respect to how and to whom questions will be escalated and how long you have to respond to those questions. Also, remember that the final report is expected to include information on the disposition of any activity referred to you by the third party for SAR filing consideration. The expectation is that disagreements between you and the third party on when a SAR should be filed will be minimal, but when they do occur, you should document your rationale clearly and completely.
- Stay engaged: Just because the third party is required to operate independently, it does not mean you should not be informed about how the lookback is progressing and what the third party firm is finding. The third party should provide you with regular status reports and hold periodic status meetings. If this is not the case, you should require this. Regulators will expect this of you, and you certainly don’t want to be blindsided at the end of a lookback project by finding out that you need to file an unexpectedly large number of SARs.
- Consider how the results of the lookback will be integrated into your monitoring program: Often, lookbacks are performed in a system environment you provide, but that is segregated from your existing production environment. Make sure you understand how the information developed during the lookback (investigation files, SAR/No SAR decisions, etc.) will be integrated into your case management system at the completion of the lookback so that you have complete records.
- Ask for recommendations: Although the primary objective of the third party is to identify any potentially suspicious activity that you may have missed, the third party will learn a lot about your customers and their activity, and your existing transaction monitoring capabilities and processes. Ask the firm to provide you with recommendations on changes you can make to enhance your transaction monitoring.
- Respect the independence of the third party: You should always expect the independent third party to ask for your factual review of deliverables and, while you are always free to suggest other changes, you should understand that the third party may not always agree with you and is obligated to report its findings objectively, based on its own work and convictions. It is important to the credibility of the lookback that both you and the third party respect the boundaries of independence.
Learn about Protiviti’s Financial Crime Compliance services. Also, read additional blog posts on The Protiviti View related to AML.
[…] posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that […]