Our Point of View. Protiviti 2

Transcription

1 Measuring the Right Metrics and Leveraging Risk and Perfrmance Indicatrs t Enhance the End-t-End Transactin Mnitring Prgram Issue Escalating regulatry pressures arund anti-mney laundering (AML) regulatins are driving a paradigm shift in hw rganizatins use technlgy t supprt their risk management and assurance activities. Optimizatin f transactin mnitring (TM) systems and supprting prcesses has been a ht tpic ver the last few years, and cntinues t be the fcus f regulatrs and financial institutins tday. A questin many institutins ask is Hw d we knw whether ur TM systems and/r prcesses are ptimized r nt? The answer is, by creating and analyzing system-generated reprts in rder t btain key metrics abut the system, which management can use as indicatrs f peratinal effectiveness, data quality and system perfrmance. By using these system-generated metrics, key stakehlders can gain visibility int any bttlenecks in the alerts review prcess, uncver data quality issues and take steps t address areas that may need immediate attentin. Metrics and metrics reprting nt nly measure the prgress and success f the TM prgram but prvide the fundatin fr an ptimizatin f the system. By using relevant management infrmatin (MI) reprts and fcusing n areas f underperfrmance, management can put measures in place t address inefficiencies befre they have a detrimental effect n the prcess and the rganizatin. Challenges and Opprtunities Financial institutins face multiple challenges with respect t btaining and leveraging the right metrics frm their TM systems. Based n ur experience, the fllwing situatins are typical: Nt knwing what t measure. Often, institutins dn t knw exactly what metrics they need t measure. This typically is a result f nt understanding which metrics are used t indicate an ineffective system. T ensure that the right metrics are being utilized, a well-defined AML gvernance framewrk must be established, alng with clearly articulated metrics that can be used t supprt the business and meet regulatry requirements. Nt understanding the data requirements. Mre typically, institutins struggle with identifying and surcing useful, cnsumable data. Incnsistent, duplicate r ut-f-date data will result in pr quality f infrmatin frm the measurements. Smetimes, the prblem is peratinal nt knwing hw t btain the data n which t perfrm measurements. T ensure that the right data is used t perfrm measurements, institutins shuld a) perfrm an analysis t determine the crrect data parameters t feed int a metric; b) ensure the defined data is suitable, i.e., available, cmplete and accurate; c) determine hw ften the data is refreshed; and d) understand the vlume f data required. Having disparate infrmatin management systems. We ften see institutins with databases that are fed infrmatin frm multiple TM systems, delivering incnsistent utput frm system t

2 system. These incnsistencies typically stem frm infrmatin systems having different business requirements; frm business rules nt being applied cnsistently t all infrmatin management systems; r frm a lack f understanding f the data structure, resulting in misinterpretatin f the surced data. Mre ften than nt, rganizatins struggle t identify the rt cause f disparate reprting n the same metrics when data is surced frm different repsitries. These rganizatins need t ensure that dcuments supprting the design f existing architecture, particularly business requirement dcuments, are clear, available and nt written at a level that is t high r difficult t cmprehend. Lack f a feedback lp between TM and case management systems. We als see a number f instances where institutins are unable t get the entire end-t-end picture because the MI reprts generated frm the TM system are nt linked t the end results prvided by the case management systems. This als creates issues with feeding vital infrmatin frm cases resulting in suspicius activity reprts and suspicius transactin reprts (SARs r STRs) back t the TM system s alert review and tuning prcesses. An apprpriate gvernance structure will help identify and extract the crrect data fr the TM system and link case results back t the system, clsing the lp. Managing cmpeting requirements. Anther typical prblem within rganizatins is the inability t manage multiple stakehlders and deal with a large number f diverse business requirements. Numerus requests fr similar reprts can clg the system as it attempts t run multiple queries frm the same data. Often, the verlad stems frm a lack f crdinatin and/r clarity when requesting infrmatin. Fr example, the infrmatin requirements that are passed t analytics teams fr the same type f reprt can differ based n wh is requesting the reprt (e.g., middle management vs. executive management). This can lead t analysts spending much f their time prducing multiple MI reprts instead f leveraging the infrmatin frm these reprts t prvide better infrmatin fr the business. Lack f clarity arund brader rganizatinal gals. TM initiatives driven by upper management may nt always trickle dwn t middle management. Likewise, initiatives driven by middle management may nt always align with the verarching enterprise strategy, resulting in disparate and ptentially cnflicting strategic initiatives mving frward, cmplicating perating mdels and wasting effrt. Once these challenges are vercme, hwever, institutins can gain a number f pprtunities t leverage the right metrics t understand and enhance their TM prgrams: Detectin lgic effectiveness and alert vlumes. Armed with the right measurements and infrmatin, management will be able t identify underperfrming detectin mdels and scenaris (e.g., n alerts r t many alerts generated) r changes in alerts stemming frm a shift in business requirements, which culd highlight the need fr tuning f the TM system. Data accuracy. MI reprt results that are well utside f management s expectatins may alert management t data r technical issues and prmpt the institutins t address them. Identificatin f emerging risks. Reprts that are accurate and based n the right metrics may prvide insight int new gegraphic areas r transactin types that are psing increased risk t the institutin. Staff perfrmance and cmpetency level. By reviewing MI reprt results, management will be able t gauge better the efficiency and prductivity f emplyees and may be able t ascertain whether prcesses need enhancement r whether additinal training shuld be prvided t the staff charged with reviewing the alerts. Our Pint f View Obtaining the right metrics can prvide institutins with infrmatin abut a number f key risk and perfrmance indicatrs (KRIs and KPIs) used t gain insight int the effectiveness f the deplyed TM system. These indicatrs can als help rganizatins in a number f ther ways. Fr example, KRIs can help track an rganizatin s risk appetite and als can help identify ptential emerging risks (i.e., Prtiviti 2

3 regulatry changes, industry standardizatin) and drive apprpriate risk mitigatin activities. KPIs can help rganizatins analyze histrical data and allw fr pattern recgnitin and frecasting which can be utilized in the areas f alert management and capacity planning. Figure 1. Definitin f KRIs and KPIs in the TM prcess KRIs KPIs Definitin: Metrics used by rganizatins t prvide an early signal f increasing risk expsures in varius areas f the enterprise. Definitin: Metrics that prvide a high-level verview f an rganizatin s perfrmance and/r the perfrmance f its perating units with a fcus n histrical perfrmance. Examples: Alert handling; investigatin and vlume f alerts generated; intrductin f new regulatins and industry benchmarks. Examples: Reprts highlighting mnthly, quarterly and year-t-date number f alerts prcessed; trends in alert backlgs and submitted SARs. KPIs and KRIs can and shuld be leveraged t uncver and address areas f inefficiencies in the end-tend TM prcess. Belw are examples f indicatrs pinting t an ineffective TM system r prcess: Indicatrs f Operatinal Issues Substantial backlgs and late alert clsures/ SAR filings Sudden spikes r significant decreases in alert vlumes frm ne mnth t the next Frequently late SAR filings affecting the submissin deadline High r lw cnversin rates (t many r t few) f alerts cnverted t SARs Indicatrs f TM System Ineffectiveness Certain transactin types never seem t generate alerts. Many high-risk custmers never seem t generate alerts. Number f manual referrals exceeds referrals frm system-generated alerts. The system generates a high percentage f recurring alerts n the same custmers, even thugh thse custmers were previusly investigated and deemed nt suspicius as activity is cnsistent with the nature f their business/accunt. T get t these crrect metrics, we recmmend institutins take the fllwing steps with regard t data, gvernance and reprting: Data Cnsideratins Review data sets t verify the accuracy, cmpleteness and availability f apprpriate data elements (parameters) feeding int reprts. Review histrical recrds assciated with a repsitry/data surce t determine if any filters are impacting the data quality. Fr example, fr data surces that are nt supprted by gd dcumentatin, perfrm testing and rt cause analysis t identify filters, transfrmatin rules, etc. Prtiviti 3

4 Establish data lineage t ensure that the apprpriate data is being extracted fr metric calculatins and all data transfrmatin rules are identified and assessed. Create a data mart t aggregate data frm disparate systems and have ne system f recrd fr generating reprts. Tightly integrate the TM and case management systems t leverage business intelligence develped at the investigatin level. Metrics and Gvernance Cnsideratins Develp effective metrics using the crrect parameters. Ask yurself if what is being measured is in fact what is required by the business t answer questins abut risk expsure r perfrmance. Frm a gvernance perspective, clearly define a prcess t help recrd the metrics being prduced as part f the alert management prcess (e.g., false psitive alerts, suspected SARs, actual SARs generated, alert vlumes, etc.). Manage business user expectatins and align/ratinalize business requirements where pssible thrugh wrking sessins. Establish drivers fr business requirements and determine if the same slutin shuld be applied t meet similar sets f requirements. Centrally manage initiatives and review against enterprise strategies and gals t ensure alignment. This will minimize duplicated effrt, identify pprtunities fr synergies between prjects/initiatives and effectively leverage the right resurces acrss the rganizatin. Establish gvernance cmmittees t review prject prgress and identify instances f deviatins frm initial prpsals/bjectives in rder t reassess effectively the value derived. Reprting Cnsideratins Establish a user interface that references the data mart frm which users (e.g., the business) can generate pre-established reprts. Allw users t create ad hc reprts frm the user interface. Ad hc reprts call t a refreshed data set at the mment the user creates the reprt. This enables users t get reprts with the mst up-t-date data, as well as view nly the data they want t view, saving users time. Cmbining the use f metrics, data analytics, AML technlgy and suspicius activity mnitring can help managers and stakehlders at financial institutins t: Prvide infrmatin n risks affecting the rganizatin Use better infrmatin in real time t ensure cmpliance with current lcal regulatins Becme aware f whether current business practices meet regulatry requirements and are aligned with rganizatinal risk strategy View crss-business and jurisdictinal transactins fr easy identificatin f trends and exceptins Determine if existing TM systems and prcesses require enhancement using peratinal and system indicatrs Re-estimate targets fr each metric and assess the peratinal impact f the alerts n time, cst and resurces Prvide data fr applying techniques such as scenari analysis, black-bx testing, data quality reviews, etc. Identify the rt cause(s) f an ineffective prgram Develp targeted slutins based n rt cause analysis cmpleted Refine the TM apprach, technlgy, methdlgy and templates based n key bservatins, trends and identificatin f high-risk indicatrs Prtiviti 4

5 Hw We Help Cmpanies Succeed Our AML prfessinals and ur team f mdeling experts, including Ph.D.-level prfessinals with deep quantitative skills, help institutins implement and maintain a sund and rbust threshld-setting and tuning methdlgy. We have experience with a number f AML transactin mnitring systems n varius platfrms, including but nt limited t Actimize, Detica NetReveal AML (Nrkm), Mantas and SAS AML, Fiserv, as well as a number f hmegrwn systems. Our AML transactin mnitring technlgy services include: Develping and executing a sund and efficient scenari-setting and tuning methdlgy and apprach Perfrming any r all f the fllwing tasks by acting as an independent team: AML red flag gap analysis Data validatin Scenari lgic validatin Threshld values validatin Perfrming custmer segmentatin Recmmending imprvements t scenaris/threshlds Example: Using Key Metrics t Enhance Management Infrmatin Reprting A large glbal bank sught ur assistance t enhance AML MI reprts in rder t identify imprvement pprtunities in its end-t-end transactin mnitring systems and supprting prcesses. Our integrated team f AML and Business Intelligence experts perfrmed a data quality review, identified key metrics and develped dashbards, which successfully helped ur client in enhancing its MI reprting prcess. Our wrk helped the client achieve the fllwing:. Enhanced usefulness and reliability f data. We generated reprts n data quality and cmpleteness, which allwed the institutin t identify areas f increased risk (where data was incmplete) and re-priritize remediatin effrts t fix the data issues and increase its mnitring cverage. Operating effectiveness and increasingly mature TM prcesses. We created custmized reprts that prvided middle management with real-time infrmatin n alert clearing prductivity. These reprts prmpted the institutin t find a different methd fr managing the alerts, which resulted in reduced headcunt and csts. Management infrmatin gvernance framewrk. The gvernance framewrk we implemented allwed the institutin t set in place prcedures t review and update MI reprts n an nging basis t ensure accuracy and timeliness, creating a sustainable reprting envirnment. Imprved reprting t regulatrs. The accurate and timely MI reprts n the end-t-end TM prcess enabled senir management t substantiate its discussins with regulatrs by using the MI reprts t supprt its messages. Prtiviti 5

6 Abut Prtiviti Prtiviti ( is a glbal cnsulting firm that helps cmpanies slve prblems in finance, technlgy, peratins, gvernance, risk and internal audit, and has served mre than 40 percent f FORTUNE 1000 and FORTUNE Glbal 500 cmpanies. Prtiviti and its independently wned Member Firms serve clients thrugh a netwrk f mre than 70 lcatins in ver 20 cuntries. The firm als wrks with smaller, grwing cmpanies, including thse lking t g public, as well as with gvernment agencies. Prtiviti is a whlly wned subsidiary f Rbert Half (NYSE: RHI). Funded in 1948, Rbert Half is a member f the S&P 500 index. Cntacts Carl Beaumier [email protected] Bernadine Reese [email protected] Jhn Atkinsn [email protected] Carl Hatfield [email protected] Luis Caneln [email protected] Chetan Shah [email protected] 2014 Prtiviti Inc. An Equal Opprtunity Emplyer M/F/D/V. Prtiviti is nt licensed r registered as a public accunting firm and des nt issue pinins n financial statements r ffer attestatin services.