Are your BSA/AML and fraud programs separated? One of the heavily debated points among financial institutions is how each one handles its BSA/AML and fraud programs. Currently, most financial institutions are combining the two programs, and it is expected that this trend will continue in 2022.
Key takeaways:
- Of the institutions surveyed, 52.3% keep their fraud and BSA/AML programs separate.
- 47% of respondents combine their BSA/AML and fraud programs.
Rather than debate the topic of BSA/AML and fraud departments crossing over, it is more valuable to understand the reasoning behind this decision. All institutions are different, so there is no precise answer. However, statements such as "BSA and fraud are separate (or together) because it has always been this way" can be a red flag. Institutions should be able to walk through validation processes for this decision and regularly ask, "is what we are doing today working?" As fraud and BSA/AML violations continue to evolve and change, your institution's program should be dynamic and adaptable. For example, if your institution has always focused on monitoring check deposits for fraud, what will happen in your fraud program as the trend changes towards fraud with unconventional payment methods, such as Zelle, Venmo, or cryptocurrency? As fraud methods modernize, those check deposit monitoring solutions might not find much fraud, and institutions will need to identify and prioritize the higher-risk fraud channel.
The next step towards solidifying your program's foundation is to evaluate your institution’s monitoring platform. Whether your BSA/AML and fraud departments are separate or combined, the parameter threshold decisions are different for BSA/AML and fraud. Typically, alert generation with BSA/AML threshold settings are changed less frequently than fraud threshold settings, which should be examined more regularly. Managing the solution and tuning it often is essential outside of working fraud alerts to detect and prevent fraud. At a minimum, tuning and efficiency reviews should include:
- Optimizing scenarios – adjusting threshold settings and staffing resources
- Reviewing previous alerts generated and analyzing losses and fraud SAR filings – alert to case / SAR ratios
- Analyzing Reports
- Identifying other potential risks
Let's go back to the previous example. What if your fraud analysts work many check alerts per day, but never identify any fraud or file SARs from cleared checks? This could indicate that you have little risk with check clearings. On the other hand, it could also indicate that the threshold settings are set well below where fraud risks could be identified. Be efficient with your systems' fraud scenarios, alerts, and funnel threshold, and adjust your bank's fraud risk assessment and decision settings based on resources available. Make sure that your institution can process any alerts within 24 hours. If you have fraud alerts waiting to be dispositioned in the system from a week ago, fraud has already occurred, and the bank has incurred a loss.
If your institution is pondering the strengths and weaknesses in its fraud risk processes, consider a fraud risk assessment. An assessment can provide insights such as:
- Identifying potential vulnerabilities
- Risk ranking products and services
- Identifying areas for improvement