Money laundering, by its very nature, is difficult to detect, but expert Eric Holmquist gives advice on how to spot it and how to respond.
About the speaker:
Eric Holmquist is the President of Holmquist Advisory.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact [email protected]
How to detect and respond to money laundering
Eric Holmquist: I do have to defer a little bit in terms of specific threats emerging
because I don't manage this on a day to day basis. But as a risk manager,
what I can say is there are always new threats emerging and particularly
as we see changed in product structures, in new technology where data and
money is moving faster and faster and faster, and in some cases in
automated ways. There are some areas where we see as more becomes
automated, the easier it is for people to miss steps. So are there new
threats? Absolutely, as long as there's going to be change there's going to be
new threats. This is why it's so critical that in any organization,
regardless of their structure, there's got to be clear awareness,
accountability, and the ability to take action around the movement of
money, the movement of data, so that as environments change, as new
technology is used, and as the bad guys unfortunately get more clever, we
have the ability to detect and respond when things take place.
I mean in the end, we've got to have an environment where assumptions are
documented about who's watching for what threats. We have very clear
awareness around what could go wrong in what ways and how would we know
that, and how would we respond? You know, none of this is new. This is the
same kind of risk techniques we've been using for hundreds of years. What
could go wrong? So, while absolutely, I can't speak to specific threats that
are emerging necessarily today, I can say we are seeing new ones every
single day, and we've got to be able to know where those risks are.
Eric Holmquist: The one thing I can say is you've just got to know where the money's
moving. I mean this goes back to, you know, cash in the branches. And I
can't count the number of times I've worked with a client that they
weren't paying attention to cash going in one branch, cash going
in a different branch. I mean these are simple things, but in the end
you've simply got to know where the money is moving. This is an area where
often financial institutions have suffered because they do tend to break up
into operational silos, and it's been a struggle for as long as there have
been banks. In the end, you've simply got to know where the money is moving.
Now, what this largely means is the whole "know your customer." You've got to
have your arms around the customer relationship, so if a customer has a
relationship on one side of the bank, and one on the other, you've got to
be able to put those together.
This goes back to, you have to have end to end process awareness. And that
means knowing all the places that the customer touches. This also means
that you've got to have documented end to end process maps of how processes
take place. So when it comes down to an AML investigation, you're not
starting from the customer's transaction, you're starting from an end to
end process map. You know, where did this process go? Not where did the
customer go? If you don't have strong end to end process maps and strong
documentation about your assumptions of risk, you're always going to come
up short; you're always going to be chasing the risk. So that's the first
place to start. The next thing is follow the money: where did the money go?
Eric Holmquist: Absolutely, in fact, it has to be part of your GRC program. If we go back
to the spirit of what GRC is trying to accomplish, it's a much more
holistic look at risk and compliance. We've got to be able to put
governance, which is how are we managing on a day to day basis, goes to
those process maps, goes to risk awareness. The risk management process,
which is a much broader look at not just what are the control steps, but
what are the risks that are the support for those controls? We've got to
have that mapped into the whole process. And then finally, what are the
compliance steps? So a GRC approach is absolutely the way to look at
something like an anti-money laundering because as long as we have clear
mapping of what's the governance, how are we managing this day to day?
Mapped to what are the risks, or to put it simply: what could go wrong?
It's a very simple question that people simply don't ask enough. The
problem is that at the end of the day, people tend to focus on their jobs,
and that involves, "How do I do this process? How do I get it done, do it
right so I can go home, so I can get paid?"
You know, people don't get all that wound up about process optimization or
data security, and they don't get all that excited about compliance. This
is why this is, more often than not, a cultural issue, certainly not a
technology issue, and not a compliance issue. It's making sure it's part of
the culture. People are aware of what the risks are and encouraged to
participate in understanding what those risks are so that we can think
about how we manage that risk, end to end. In that context, compliance
becomes easy because people are much more self-aware of how they're
managing those risks.