by Rick Myburgh


Having 13 years’ experience in working with Financial Institutions in delivering Fin Crime Programs across APAC and North America, Rick shares his Seven Best Practices to implementing or Strengthening a Financial Crime Program


On the back of significant fines in 2020 of two of Australia’s major banks for breaches of anti-money laundering (AML) and counter-terrorism financing (CTF) laws, the Australian regulator, Australian Transaction Reports and Analysis Centre (AUSTRAC), will continue to step up its focus on Financial Institutions (FI) and how they are managing their financial crime risk programs. This combined with the strengthening of the Banking Executive Accountability Regime (BEAR) by APRA has placed increased burden on FI’s

Due to the increasing use of digital acquisition channels, increasing data sources, Realtime processing and a demand for a seamless customer experience. Compliance Programs have become integral to the day-to-day operation of FI’s and are required to be effective, efficient and up-to-date.

In this article we will explore the some of the best practices to consider when implementing or maintain an AML/CTF compliance program.

1. Board and senior management involvement, accountability and approval and their ongoing oversight and support of your program

  • Create and embed a Risk Culture and agree enforceable Key Performance Indicators (KPIs) across all lines of business and divisions
  • Establish and publish clear role accountabilities in the form of a RACI related to those KPIs across all lines of business and divisions. This should be reviewed and updated on regular basis ensuring that these accountabilities follow current regulator expectations.
  • Include the regulators as part of your stakeholder engagement strategy this can be invaluable as a feedback loop as they can provide invaluable insights.

2. ML/TF (Money Laundering / Terrorism Financing) Assessment of risk

  • ML/TF rules are risk-based, and it is imperative that an appropriate risk management framework is established to identify and assess risks backed up by the appropriate controls and processes. This risk assessment should be tailored to your organisation to ensure its fit for purpose
  • An FI’s risk assessment and tailoring of the AML/CTF program is dependent on the customer profiles, services provided and types of transactions and accounts
  • Ensure there is an ongoing process to monitor and identify changes in your risk. This is so you can respond by adjusting the administration of your services, customers, relationships, and delivery methods to mitigate new and emerging ML/TF risks.

3. Employ adequate resources with appropriate expertise

  • Ensure you have AML subject matter experts on your program with solid domain expertise, practical knowledge, and experience. Having resources with day-to-day experience in Investigations is key to the design of your operational process and System tools
  • Invest in staff and ensure they have appropriate training (which should be ongoing), professional development, skills, and experience to support them in their role – make use of Vendors and partners in supplementing your team as required – encourage ACAMS qualifications and ongoing currency

4. Systems and tools

All Institutions implement a range of systems and tools to monitor and manage their Compliance obligations. These could be vendor supplied systems, in house or joint development with 3rd party organisations who will partner with FI’s to build out solutions. FIs could use a single solution to detect, monitor, investigate and report or it could be a combination of several solutions which are implemented. The key principles below are valid for all deployment methods:

  • Ensure that ALL stakeholders groups are represented at the start of the program and throughout the program (examples below):
    • Program Sponsor
    • System Owner
    • CRO & MLRO’s
    • Heads of Compliance / Compliance officers for each impacted Business unit
    • Operations representatives from each line of business impacted
    • AML/CTF SME’s
    • Fin Crime investigations unit
    • Data Analytics
    • Enterprises and solution Architecture
    • Info Sec
    • Systems owners
    • Testers
    • Vendors
  • Assess data quality and readiness
    • Data (structured and unstructured) is often the most significant roadblock when developing and implementing a compliance system. Organisations should not underestimate the amount of time and effort required to identify, source, process, transform, and interpret data. This is becoming more and more important as organisations embrace more advanced data capabilities to enhance their solutions and modelling (AI, Machine Learning, Natural Language Processing, Robotic Process Automation, Big Data / Data Analytics, etc). FIs are often plagued with issues around data quality, and concerns around the completeness and validity of data are often major hurdles. Allow enough time to perform DQ (Data Quality) processes on your data being provided to your compliance solutions
  • Operating and source systems architecture & topology
    • Operating / source systems and data quality issues are related in many organisations. Decomposing the complexity of legacy systems and processes is a challenge for larger FIs with a history of acquisitions. It is therefore key that all institutions will need to consider how their systems currently operate and the impact this will have on the implementation of a compliance solution.
  • Design of investigation and operational processes
    • With the increasing number of transactions, data being processed and an increase number of potential alerts, the need for efficient investigation processes is becoming more critical. Involve your investigation team in the design of processes and workflows including during the testing phases and place emphasis on effectiveness and efficiency of the alerting and investigation process.
  • Tuning, Tuning, Tuning…
    • AML Compliance programs rely on large quantities of data to be processed against an ever-increasing catalogue of rules, algorithms, and models to identify suspicious transaction and behaviours of individuals, networks of individuals and organisations or entities. Inadequate tuning will result in poor systems performance, high number of false positives and/or false negatives.
    • Break your tuning down into ‘bite sized’ chunks by sets of rules or data / business / channel segmentation otherwise you will be overwhelmed
    • Have a process to measure: Be it manual analytics or automated via AI or ML to measure you results e.g.  DATA → ALGORITHM → DISTRIBUTION → THRESHOLD → MEASURE→ TUNE (repeat until results are in line expected results or risk thresholds)

5. Remain Compliant

  • AML Compliance is not a set-and-forget program – the following change regularly and frequently requiring constant attention and re-work:
    • Regulations, Laws, threats, criminal behaviour, customer behaviours country and PEP risk profiles, Business (channel, product offerings, customer growth)
  • Implement a regular review of you monitoring systems and the resulting alerts and perform ongoing tuning excises and update your rules, algorithms, watchlists, investigation and workflow processes

6. Implement Regular Independent reviews

  • Maintain relationship with the regulator and keep up to date with regulation changes – ask the regulator to clarify if you are unclear. Regulators don’t like surprises and would prefer to have an open dialog.
  • Conduct and imbed a regular independent review of your AML program – which should cover a risk ML/TF assessment review, policies, procedures, and controls.
  • Ensure all review, actions and changes are auditable, tracked and reported (what, why, corresponding owner actions, dates etc.)

7. Implement AML/CTF a Training Program

  • Training is a critical to ensure systems, procedures and controls are adhered to in managing money laundering and terrorism financing risks.
  • AML training should be incorporated into staff training and development plans. Training should be conducted organisation wide.
  • Employees who are performing operational or Compliance roles have the appropriate induction and ongoing training required to perform the role effectively