Since its enforcement in 2020, the Anti-Money Laundering Act of 2020 (AMLA) has had a large impact on BSA/AML best practices, including in the realm of alert backlog management.
Among other things, the Act requires that financial institutions take a risk-based approach to backlog handling, which means that they must build out a system that allows them to address the highest-risk transactions first.
As a result, resource allocation and timely alert dispositioning are key to successfully meeting today’s stricter AML compliance requirements.
What is an Alert Backlog and Why Does One Form?
An alert backlog forms when suspicious activity alerts build up in an organization’s transaction monitoring system. This happens when a team is simply not capable of addressing all of the alerts that are flagged in a timely manner. This can occur when the team is short-staffed, inexperienced, or the system is ineffective (and throws a lot of false positives).
Even before the pandemic, many financial institutions were struggling to keep up with AML compliance regulations because they often rely on investigators to review alerts (and depending on the size of the organization, this number of alerts can be in the millions) to determine whether the transactions that flagged the alert were truly suspicious and worth further investigation or not.
This is a time-consuming process, especially since the industry standard false-positive rate is close to 95%.
And during the pandemic, FIs faced several challenges including difficulty keeping the teams sufficiently staffed, investigator burnout, changes in consumer purchasing behavior, and the fact that during a crisis, suspicious activity often flourishes.
As a result, significant alert backlogs have built up over the last few years, requiring dedicated resources and a defined strategy to clear them out and keep them from building back up again.
How Alert Backlogs Impact the Compliance Team
So, what is the problem with having a backlog of alerts? There are several issues that arise when an organization is ineffective at addressing all of the alerts in their system.
Most notably, the main problems with having a large backlog of alerts include:
Not Meeting Regulatory Requirements
Backlogs inhibit the organization from meeting its regulatory requirements (SARs should be filed within 30 days of identification of suspicious activity). This can jeopardize an organization’s relationship with its partners and regulators, and cause the company to incur hefty fines.
Poor Signals and Data
When a firm has a significant backlog to manage, the organization isn’t getting the most valuable signals or data, which causes the system to be less effective. Specifically, the lack of review means that the business doesn't capture the signal of whether an event is bad or not, reducing the firm's ability to improve both its preventative and reactive defenses. If alerts aren’t being handled in a timely manner, machine learning models can’t adjust.
On top of that, the data science team, the automation team, and the analytics team can’t identify the cause of the problems in the system and can’t make informed decisions about what needs to be done in order to to reduce fraud losses.
Drain on Resources
Handling a backlog is a project within itself - when team members are focused on alert backlog management, they aren’t spending time working on the things that are the most important for the organization.
It also means that the teams are constantly stretched thin and aren't able to get to any side projects or have any meaningful downtime. Over time the burnout impact results in a jaded team who is no longer striving to meet performance metrics or service level agreements since they feel there's no real opportunity to focus in those areas.
Having a large backlog makes it difficult to staff appropriately because if the organization is constantly building up a backlog, it may mean that they do not have enough people on the team, but it is also hard to tell what the proper headcount should be since team members are splitting their efforts between backlog management and new alert investigations.
How to Handle a Large Backlog of Alerts
The intuitive way to handle a backlog is to start at the oldest alert and work your way to the newest, but that isn’t always the best strategy.
This can be effective when the backlog is small and the team isn’t at workload capacity. But for larger, more significant backlogs, this is a recipe for failure. This is because the backlog keeps growing every day due to the team not being able to manage the alerts.
Also, alerts that occurred three months ago aren’t going to be as relevant or valuable as the alerts being flagged today, therefore, the priority should be on handling the most recent alerts.
Think of it this way: if every day you have eighty alerts and the team can only manage sixty per day, every four days the team will be an additional day behind on alerts. At this rate, after four months, you are going to be a full thirty days behind. This means that when they are working on the backlog, the team is getting the least valuable signals and data as they are the least current.
To combat these challenges, FIs should address the highest-risk transactions first while incorporating the following steps into their backlog handling strategy.
Step 1: Treat the Backlog as a Standalone Project
Separate the backlog into its own project away from the regular day-to-day work of new alert handling and prioritize new incoming alerts and cases. This helps to ensure you won’t have a backlog building up and that the team is chipping away at the backlog while remaining focused on the most relevant signals.
Segmenting out the backlog also ensures that the team is aligned with the regulations because your ongoing current alerts are most often representing the highest risk.
As part of this process, you should also make an effort to understand the cause for the backlog (understaffing, inaccurate alerting, etc.) and aim to address it to ensure that the regular day-to-day work does not cause additional backlog to form.
Step 2: Scope the Backlog Handling Project
Understand the scope of the backlog problem, and communicate that gap to the appropriate stakeholders (your management team, relevant partners/regulators, etc.).
Keeping them informed about how large the backlog is, how much estimated time it will take to clear, and how many resources or personnel will be needed to complete the project within the proposed timeframe will ensure that everyone is in alignment with the situation, making it easier to approach the project with a cohesive plan.
While this at times can be painful or uneasy conversations, transparency and alignments are always recommended for strong positive outcomes over time.
Step 3: Staff the Backlog Handling Project Strategically
Organizations don’t necessarily need to hire full-time employees for this project. Instead, they can consider using temp support, BPOs (external resources to the company coming in for dedicated tasks), contractors, interns, or internal employees that have tasks that can be deprioritized.
Step 4: Adopt a Triage-First Approach
Instead of having employees of all levels of expertise working on the backlog project in tandem, the first review should be performed by lower-level personnel.
These team members should be capable of clearing out the most obvious alerts first while flagging anything that requires a more skilled eye for higher-level employees to handle in a second pass. This ensures that the people with the highest level of expertise aren’t wasting their time on menial tasks and can instead focus on true investigations.
This also aligns with the spirit of needing to prioritize the higher risk alerts, by ensuring that only higher risk alerts reach your investigation team.
Alert Backlog Handling Best Practices: Final Thoughts
There’s a famous saying that the best way to eat an elephant is piece by piece, and the same is true of managing a backlog of alerts.
Once the project is properly scoped and communicated to all stakeholders, it can be worked on over a period of time. Then it just becomes a matter of putting the proper systems in place to ensure new backlogs aren't formed from your day-to-day operations.
This means sufficiently staffing the team, using the best AML technology to reduce false-positive rates, and prioritizing the most potentially damaging alerts first by taking a risk-based approach.