Insight

Transaction monitoring: its importance and how you can do better

Written by Teodora Harrop, FICA on Monday June 27, 2022

Ahead of the imminent launch of a new virtual classroom workshop, we are taking a look at transaction monitoring (TM): what it is, what risks to look out for and how we can learn from examples of poor TM to ensure staff have the relevant skills and knowledge to carry out this integral business function.

What is transaction monitoring and how is this carried out?

Transaction monitoring is a key control used by financial institutions to identify suspicious transactions and mitigate the risk of financial crime. Whilst the requirement to undertake transaction monitoring evolved as a result of anti money laundering (AML) legislation, its importance has also been magnified and reinforced by increased regulatory attention and significant fines.

Firms use a blend of manual and automated systems, depending on the volume and complexity of the transactions they process, their risk appetite, and their level of maturity. The value of the financial investments allocated to TM’s technical and human resources is a key factor informing the quality of the systems and controls, and the relative level of sophistication.

How can you identify deficiencies in the TM system?

In their ‘Financial Crime Guide – a firm’s guide to countering financial crime risks’, the UK’s financial services regulator, the Financial Conduct Authority (FCA), provided the following examples of bad practice:

The firm fails to take adequate measures to understand the risk associated with the business relationship and is therefore unable to conduct meaningful monitoring
The [money laundering reporting officer (MLRO)] can provide little evidence that unusual transactions are brought to their attention
Staff always accept a customer’s explanation for unusual transactions and do not probe further [1]

The above examples highlight the importance of staff having the knowledge and the confidence to challenge transactions, whilst maintaining a degree of professional scepticism.

Several (TM) deficiencies were also identified following the recent FCA review of challenger banks:

inconsistent and inadequate rationale for discounting alerts by alert handlers
a lack of basic information recorded in the investigation notes
a lack of holistic reviews of the alerts [2]

The regulator also commented that failing to complete timely transaction monitoring also had a detrimental impact on the ability to submit Suspicious Activity Reports.

Emerging risks, ‘traditional’ problems

We have recently seen unprecedented packages of economic sanctions imposed in response to the invasion of Ukraine. Whilst misuse of the ‘traditional’ financial services sector remains an area of heightened risk regarding sanctions evasion, there is growing concern regarding misuse of cryptocurrencies and decentralised exchanges.

The case below highlights the domino-effect of criminality following the actions of Gidiplus, a firm offering crypto ATM (CATM) [3] services. Gidiplus was ordered to cease activities, after the Upper Tribunal [4] ruled that:

Gidiplus is unable to undertake meaningful transactions monitoring in relation to a proportion of its transactions because Gidiplus does not attempt to assess the purpose and intended nature of the business relationship at the point of onboarding.

The judge also commented that the owner of the business, a Mr Osunkoya, misled the banks by:

[G]iving the banks the impression that Gidiplus carried on an events business. By doing so, he prevented the banks from meeting their know your customer obligations on the basis of the correct information and thereby put at risk their own compliance with the money laundering regulations. He compounded the situation by seeking to disguise the nature of the transactions that went through the Gidiplus’s accounts.

In addition to the concerns regarding the integrity of the owner, the lack of understanding of the principal risks associated with the business is noted throughout, stating that Mr Osunkoya:

[L]acked sufficient experience and training to undertake the roles of Nominated Officer and senior manager responsible for compliance, not having undertaken any significant compliance role before and that he has only completed 1.5 hours of training in anti-money laundering and anti-bribery.

What can we learn from the issues above?

The learning points from examples and bad practice can be pro-actively used by all financial institutions, to identify any gaps or improvement areas in their systems and controls.

One can use the checklist below for an early ‘diagnosis’ of the health of the TM framework and to identify existing and emerging risk exposure.

Is there a documented risk assessment, which considers transactions risk?
Has the MLRO conducted targeted training to encourage staff to report any unusual or suspicious transactions?
Are the policies and procedures fit for purpose?
Is there comprehensive training delivered to alert handlers?
Is there an adequate assurance programme in place, proportionate to the scale and complexity of the firm?
Does this consider elements like appropriateness of system calibration and record keeping?

Training and education

Whilst Gidiplus may seem an extreme example illustrating inadequate and insufficient training, the importance of a structured programme of training and education should not be underestimated. Online training on its own may provide a basic level of awareness for all staff, but it is unlikely to be sufficient for staff responsible for transaction monitoring.

ICA Essentials - Transaction Monitoring

The board of directors must be aware of the risks associated with failure to monitor transactions and the limitations of the systems used. Their support in mitigating these risks is critical in the development of a strong anti money laundering culture.

Whatever else may change in the compliance landscape, a firm’s culture, education and training remain key in preventing financial crime.