AML compliance 8 min read

Pillar 4: How to measure your compliance effectiveness

For the love of metrics, how do you measure AML impact?

Ester Eggert
Ester Eggert
Head of Product

aml-compliance-metrics-1.jpg In the world of compliance, it’s pretty easy to think your day job is mostly about following a bunch of rules so you can keep your company safe. But that’s rarely why any of us joined the field.

I’m lucky to be a part of Salv, an anti-money laundering (AML) technology built by the compliance creators of Skype and TransferWise — like me. Since the very beginning, at Salv we’ve put crime-fighting at the heart of everything we do. But even for the most diehard crime-fighters among us, we still recognize that, at the end of the day, there are long lists of regulations to follow.

If you didn’t know there was a Part 1 (crime fighting KPIs), Part 2 (customer impact KPIs) or Part 3 (AML costs), then you’ll want to read those first. This will be my final write up on AML KPIs (Key Performance Indicators).

I’ll be covering that final pillar, Compliance.

There’s a reason I left the Compliance pillar for last — all too often I’ve seen teams get tunnel vision and end up focusing almost exclusively on ticking regulatory boxes, while missing the heart of why compliance teams exist. If that feels like your team, then it’s doubly important you find metrics in the other 3 pillars to balance out your team’s goals.

Pillar 4: AML KPIs based on compliance

If you add up all of the hours of my life thinking through how to measure compliance, I don’t even want to think about it. Measuring compliance is not only tough, but I hate the fact we have to even measure this at all. In a perfect world, we’d all be so motivated by catching criminals — and there would be such a clear AML feedback loop in place — that we wouldn’t even need regulators to come check our work. But, well, here we are in 2020 and we haven’t made it to that fantasy world. Yet.

So. How do you measure compliance? When can you say you’re compliant? When are you actually done? Great questions. I’m not sure there’s a clearly good way to measure these questions, but I can give it my best shot.

aml-compliance-metrics-2.jpg

KPI 1: Number of audit findings due in the next quarter

How many issues highlighted by recent audits need to be completed in the near future? Basically — those items listed in red.

In a normal company processing transactions, you’ll normally have an audit or 2 every year, so this would be a hard KPI for you to measure. You’d only be able to measure it every year or so. But if your company operates internationally, you might be in the situation. When I worked in TransferWise, we had audits from regulators across the globe coming in every 2-4 weeks. In the latter case, then this metric might be very useful for you.

If you’ve never experienced an audit before, then you’re in for a treat. And, by “treat,” I mean you’ll freak out trying to get everything ready for the big visit, then a team of regulators will come into your office, look through your team’s work, ask a bunch of questions, and then eventually present you with a list of their findings. And, by “findings,” I mean a list of deficiencies and problems they’ve identified from your processes — they’ll want you to correct these. Often, you’ll be given anywhere from 6 months to a year to fix what’s on their list. The next time they pop in for a visit, they’ll want you to be able to show them you’ve made their changes.

If your company experiences a bunch of audits every year, then you should be able to fairly quickly measure how many findings you have open at the moment. In theory, the less findings you have — and, hopefully, this number decreases over time — then that hopefully means your team is getting better at audits. And compliance.

What are the total amount of fines you’ve paid in the last 12 months?

I’ll be upfront with you, I find this KPI loathsome. But I have seen actual companies, normally huge corporations, using this as their metric. They’ve all accepted the fact that their processes will be found lacking — so their aim is simply to minimise the amount of fines they’ll need to pay. For many, as I said, compliance is less about protecting the vulnerable and catching criminals, it’s rather more about reducing profit losses.

I’m going to go out on a limb, however, and hypothesize that the era — where this is an acceptable KPI — is drawing to a close. In 2019 alone we saw that 1 in 4 of the world’s 50 largest banks(1) were fined due to AML breaches. That’s abysmal. In fact, in some regions, regulators are now publishing names of companies with AML breaches, their amount of legal issues, and the amount they’ve been fined.(2) And, increasingly, in the wake of these AML scandals, we’ve seen stock prices plummet for some of these companies. We’re entering an era in which these fines will cost companies far more than paying regulatory bodies.

KPI 3: Keep your MLRO out of prison (and your CEO employed)

Is your MLRO not in jail? Is your CEO still working?

While this KPI might sound a little funny, you likely know that one of the penalties for AML breaches is that your MLRO (Money Laundering Reporting Officer) may have to serve prison time. If you’re the unlucky MLRO who ends up having to go to jail, then this is no longer a laughing matter. The risk is real, and more than a few people have refused to take on the MLRO role exactly due to that possibility. But, more than that, you’ll probably see that CEO after CEO resigned or was fired in 2019 after AML scandals made news headlines.(3)(4)(5) Though that isn’t an actual regulatory penalty, it’s an all-too-often result.

So, as simplistic as it sounds, this is technically a KPI, and an easily measurable one at that. Keep your MLRO out of jail and your CEO is employed. But just make sure this isn’t your only compliance measure.

KPI 4: How easily you can attract and keep your MLRO

How long does your MLRO stay in the job? How easy is it to recruit a new one? Do they seem to ask for an abnormally high salary?

This is similar to the previous KPI, but it’s a real thing. As we’ve spent time at Salv, we’ve often seen that many of the companies that struggle the most with AML and compliance have MLROs that, well, don’t stay long in the job — it’s often a clear warning sign that something isn’t going so well. If your MLROs don’t stay long, you’re having a tough time recruiting a new one, or they seem to be asking for an abnormally high salary, then this could be an indication that something is wrong with your company’s risk policies, compliance, or AML controls. MLROs know about risk, and if they leave quickly or want to stay far away from your company, well, you might have your answer why.

aml-compliance-metrics-4.png

KPI 5: How quickly you can implement new regulations

Are you ahead or behind most companies like you?

As you were probably aware, new regulations are increasing at a breakneck speed. Open banking, PSD2, AMLD V and VI — it’s been a constant onslaught. And when you squint at the diagram above, it becomes even clearer, even without diving into the details. So, increasingly, staying compliant will be about how long it takes your company to adjust to change and pivot to stay on top of new regulations. When new regulations are put in, are your systems and processes already aligned, or are you playing catch up? You can measure how long it takes you to pivot and change.

KPI 6: How familiar your team is with new regulations

Are you ahead or behind most companies like you?

This is related to the KPI above. How well do you and your team — not to mention, the wider company — understand the regulations that you need to comply with? It can range from no awareness all the way through to engaging directly with the regulators to help shape the regulations. You can test this knowledge and keep track of your progress over time.

Summing up the final pillar

All right, readers, this closes up our fourth and final pillar. Compliance is vital, but make sure you don’t just stop there.

At Salv, even though we built our platform to primarily fight crime, we still know how important it is to enable regulator-friendly processes. That’s why, in our Salv platform, all of your team’s actions are tracked and timestamped, you can test rules before you roll them out, you can download audit reports instantly, you can put together all sorts of dashboards, and your AML data is stored in a single database.

If you’re overwhelmed with how to measure other aspects beyond compliance, check out all of the pillars and corresponding KPIs below to find what works for you.

Putting all the AML KPI pieces together

Pillar 1: Crime-fighting KPIs

  • Alert to SAR ratio
  • Ratio of alerted customers by region / product
  • Alert handling time
  • SAR reporting time
  • Percentage alerts also flagged by other institutes (true positives)

Pillar 2: Customer impact KPIs

Average payment suspension time for good customers

  • Average / median alert resolution time
  • Length / size of your team’s backlog

Drop-off due to compliance reasons

  • Cancellation rate of alerted transactions
  • Percent of alerts resolved online/automatically in less than 5 minutes

Your team’s invisibility to the customer

  • Instant payments delayed due to compliance checks
  • Percentage of poor reviews related to AML

Pillar 3: AML costs

  • General compliance cost per transaction
  • Compliance cost as a percentage of total company costs
  • Percentage of compliance headcount
  • Cost per alert

Pillar 4: Compliance

  • Number of audit findings due in the next quarter
  • Total amount of recent compliance related fines
  • Keep your MLRO out of prison (and your CEO employed)
  • How easily you can attract and keep your MLRO
  • How quickly you can implement new regulations
  • How familiar your team is with new regulations

If you’re still struggling to set up metrics that work for you, reach out to me directly on linkedin and I’ll be glad to help. And if you want to find out if Salv’s platform is right for you — get in touch.

Happy AML measuring!

Salv Bridge

Investigate and solve fraud, and increase recovery rates up to 80% with Salv Bridge

Learn more
bridge product mockup

Citations

  1. https://www.finextra.com/newsarticle/35189/fs-firms-hit-with-36bn-in-aml-kyc-and-sanctions-fines-since-financial-crisis
  2. https://www.fca.org.uk/news/news-stories/2019-fines
  3. https://www.reuters.com/article/us-danske-bank-moneylaundering/danske-bank-ceo-resigns-over-money-laundering-scandal-idUSKCN1LZ0QX
  4. https://www.reuters.com/article/us-westpac-regulator-ceo/westpac-ceo-resigns-as-money-laundering-scandal-rocks-australias-second-biggest-bank-idUSKBN1XZ2FH
  5. https://www.wsj.com/articles/swedbank-review-criticizes-ex-ceos-for-anti-money-laundering-failings-11584990160
×
ISO/IEC 27001 logo
Aicpa logo
GDPR compliant logo
OWASP logo

We build security to our products and organisation from the start. We use security best practices (incl. ISO 27001, CIS etc.) to ensure that our security management system meets the highest standards.

Salv has an ISO/IEC 27001: 2022 certificate, as well as ISAE 3000 compliant SOC 2 Type 2 report.