Where do look back and remediation projects arise from? What are the typical root causes leading to a look back or remediation project? What are the pitfalls of a look back or remediation? How do you create a winning strategy on how to approach a look back or remediation?
This post explores the answers from an insider’s perspective of dealing with some of the most sensitive and interesting look backs of the last 11 years.
Background and Origin
There are typically two sources of origin for look back and remediation projects. First, a US Government (“USG”) action may require a US financial institution (“FI”) to conduct a look back as part of said action. Second, an FI may self-identify an issue and decide to remediate that issue. By way of background these actions and self-identified issues typically involve the following key elements: (1) a particular unknown risk that must be investigated and understood by the FI; (2) transactions and/or customers of the FI; and (3) a period of time or scope.
We can attribute many causes categorically. The top-level categories almost always involve gaps in transaction monitoring (“TM”), watch list management (“WLM”), and customer risk rating (“CRR”) models. Further down, we can attribute gaps to data and/or systems issues (e.g.; erroneously mapped transaction codes or unmapped customer data elements). Other down-level categories include a misinterpretation of risk through the risk assessment process (either at the enterprise level or the new product/service level). Unfortunately, at times, some causes are attributed to actual misconduct within the FI (either at the first line, second line, and/or even management levels). The bottom line on causes can be simplified to a lack of controls or breakdown of controls.
There are many pitfalls to a look back or remediation situation. The main pitfall I would highlight is cost containment. While many look backs are a part of an action, those often come with loose (less prescriptive) mandates. While many will interpret the mandate to be all encompassing (scorching the ends of the earth for suspicious activity and high risk customers), there is often a great opportunity to narrow or target that unknown risk more efficiently and effectively.
Another pitfall is to overlook the serious nature of the mandate or self-identified issue. Here is a newsflash – sometimes executive management does not care that there are potential unreported suspicious activities (violations of federal law) or unidentified high risk customers. Delaying a management response to the mandate or even the self-identified issue can come with severe consequences (additional actions and potential individual liability).
Assume knowledge has been established (via a USG action or self-identified) – what’s next? First, comprehend the core of the problem and scope it accordingly. Second, apply a basic red team analysis to the agreed upon core and scope. Third, develop two plans to execute (one the preferred and one the contingency). Fourth, evaluate whether a third party with independence is necessary (typically if part of a USG action) or if other FI employees can be leveraged to contain cost. Fifth, create open and transparent communication with the Board (and/or oversight committees), Audit, and the appropriate Supervisory Agency. Finally, execute, evaluate and report. This last step is where you can reap many benefits from the effort and leverage many different forms of intelligence (lessons learned, new data, new process observations, etc.).
We would be amiss to exclude technology from this post. However, while technology brings great capabilities to bear, do not undervalue the human planning and strategy aspect of approaching a look back or remediation project.
At AML RightSource, a Gabriel Partners Company, our Financial Crimes Advisory practice is well positioned to assist in creating a detailed winning strategy and plan to approach a look back or remediation project. In addition, our AML/BSA Staff Augmentation practice has over 250 full time professionals (analysts and investigators) with extensive look back and remediation project experience.