Money laundering is a widespread global problem.
A lot has been done in the past year to reform the laws and regulations aimed at reducing money laundering and terrorist financing; however, the issue remains prevalent in today’s society.
In 2021, there were over 2.5 million SAR reports filed to FinCEN. Although Suspicious Activity Reports (SARs) are crucial to block money laundering, the system could be much more effective. Part of the challenge lies in the outdated and largely manual processes that financial institutions use to create and submit these reports.
That’s where AML case management comes in. But what is AML case management? How do companies get the most from their case management system? How does the case management workflow maintain a company’s AML compliance?
This definitive guide has everything you need to know about case management for risk and compliance in financial services.
Keep reading to learn more.
What is Case Management? Case Management Definition
Case management is a term that doesn’t just refer to risk and compliance in financial services. On the contrary, the phrase is used across many industries, from healthcare to IT support. However, the most basic case management definition is the same in every business.
It refers to the process of collecting, monitoring, and assessing information. This helps companies find the best responses or solutions to problems.
For security operations, the case management system aids in the management of investigations and reporting. In addition, companies use the system to provide feedback to better detect and respond to suspicious activity or threats.
This process includes:
- Collecting risk and threat assessment data
- Monitoring suspicious activities
- Tracking potential incidents
- Managing investigation workflows
- Conducting data audits
- Filing incident reports
Similarly, case management in banking refers to the risk and compliance processes. These processes prevent and detect financial crime, emphasizing money laundering and terrorism financing.
The practice of money laundering refers to any illegal process used to make money generated from criminal activities appear legitimate. As someone might launder their clothes when they are dirty, a criminal launders money when it comes from an illegal (ie: dirty) source.
Other financial crimes related to money laundering can include:
- Identity theft
These crimes are used for money laundering or rely on laundering practices to move funds. As a result, governments create and enforce compliance requirements to aid law enforcement and criminal justice systems.
What is Case Management in Compliance?
Every industry has regulatory compliance requirements. For example, finance companies like banks and credit unions fall under specific finance security regulations. These include suspicious activity reporting requirements.
Companies can meet compliance regulations by creating an effective system for managing cases and investigations and reporting suspicious activities required by law.
The Financial Crimes Enforcement Network (FinCEN) is the US Financial Intelligence Unit that manages regulatory compliance with AML.
AML statutes and regulations include:
- 31 USC 310 (establishes FinCEN and its authorities)
- The Bank Secrecy Act (requires financial institutions to cooperate with AML)
- The USA Patriot Act (applicable AML and KYC mandates)
FinCEN is also the reporting agency for AML cases. In addition, it investigates the Suspicious Activity Reporting (SAR) claims submitted by a company.
Companies must submit suspicious activity reports as soon as possible, depending on case severity. Failure to do so can result in steep penalties.
According to the FinCEN electronic filing requirements, “A FinCEN SAR shall be filed no later than 30 calendar days after the date of the initial detection by the reporting financial institution of facts that may constitute a basis for filing a report.
If no suspect is identified on the date of such initial detection, a financial institution may delay filing a FinCEN SAR for an additional 30 calendar days to identify a suspect, but in no case shall reporting be delayed more than 60 calendar days after the date of such initial detection.
In situations involving violations that require immediate attention, such as terrorist financing or ongoing money laundering schemes, the financial institution shall immediately notify by telephone an appropriate law enforcement authority in addition to filing timely a FinCEN SAR."
Ultimately, an AML case management system helps a company keep up with its reporting requirements to avoid costly fines for non-compliance. Virtual banking organizations like Fintechs must adhere to compliance regulations as well, so a robust AML solution is a must!
Types of Case Management
There are two main case types for financial companies: AML and KYC (“Know Your Customer”). Although interrelated, they are very different in scope.
AML may be used as an umbrella term for all anti-money laundering regulations and operations.
KYC guidelines are an essential part of the AML framework. The KYC scope focuses on verifying consumer and business relationships.
KYC Case Management
KYC refers to the processes institutions use to ensure their customers’ legitimacy. KYB (Know Your Business) is a related KYC function for screening businesses instead of individual clients.
Not all industries require this type of case management system. But KYC is mandatory for all financial companies to comply with AML laws.
KYC screening has two tiers: Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). CDD is the initial screening and analysis of customer data. It’s the fundamental core function of KYC measures.
CDD includes verifying a customer’s identity through:
- Photo IDs (driver’s license, military ID, passports)
- Proof of address (utility bill, bank statement)
- Tax identification numbers (SSN, ITIN, EIN)
Once a customer’s identity is established, their data is analyzed for potential risk. A high-risk assessment goes into the next tier: EDD.
EDD is a more comprehensive AML investigation. It also reveals risks that may not be apparent with CDD.
KYC is a crucial process for AML case management. Without KYC guidelines, the AML operations workflow cannot prevent or detect bad faith actors within the system. It can only respond to suspicious activity that may or not be criminally related.
AML Case Management
AML case management refers to the investigation of suspicious activity. This activity can be related to transactions, events, use of financial instruments, interactions with third parties, or other entities. AML systems software monitors financial transactions with detection rules in place. Flagged activity is then investigated through the case management workflow.
Financial companies must have a process for managing AML cases. Money laundering typically involves bank transfers and deposits. Money deposited in a bank with no further issues is "clean" to other individuals and institutions.
If a company fails to detect this criminal activity from a lack of due diligence, it can be held liable.
What is an AML Case?
An AML case covers any financial crime-related activity. FinCEN's past case management examples include:
- Medicare fraud
- Illegal money transfers from Israel to the UAE
- Oxycodone trafficking
- Front operations for transferring drug money between states
- Pyramid and Ponzi schemes
- Illegal gambling rings
- Judicial bribery from foreign corruption
All these cases involved suspicious transaction reports flagged as potential money laundering activity. The criminals were caught and found guilty due to SAR reporting to FinCEN.
An AML case begins when systems detect outlier (unusual) activity seen as suspicious through the process of transaction monitoring.
Suspicious activity can include:
- Transactions with no clear businesses purpose or need
- Structuring large deposits into smaller sums to avoid Currency Transaction Reports (CTRs)
- Frequent deposits and withdrawals without legitimate explanation
- Large deposits not explained by employment or family inheritance
- Recurring money transfers between unrelated entities
- Frequent and/or large money transfers to high-risk countries or regions
- Multiple cash transactions unrelated to business revenue
Further investigation will determine if this activity warrants SAR reporting. This includes building a case through investigations. The case gathers relevant data to assess the risk of criminal activity occurring.
How to Conduct an AML Investigation
AML case management has many resources to identify people with heightened risk. These include:
- National and international watchlists
- Banned lists
- Adverse media screening
Investigations also look for Politically Exposed Persons (PEPs). Most PEPs are innocent of any criminal financial activities. However, positions of political power heighten risk factors.
Therefore, investigations include the PEP’s family, business partners, and other close associates to ensure that they don’t have any suspicious or dangerous connections that might increase an organization’s liability.
Not every AML case will make it to SAR reporting. Billions of financial transactions occur globally each day, which opens the door for false positives to surface during the flag and review process.
Case management compliance is a balance. The goal of an investigation is to weed out the false positives and find legitimate cases.
Failure to do so effectively means a company will miss its suspicious activity report requirements and could be found in non-compliance. This is why case management solutions like Unit21 are helpful for running an effective AML compliance program.
6 Steps of the Case Management Process
Case Management Operations workflows have set standards from one process point to another. As a result, the case management process is standard across industries, although it may contain industry-specific functions.
Its basic structure includes:
- Clearly defined objectives and goals
- Specific process steps from start to finish
- Systematic data collection from multiple sources
- Investigation and analysis of relevant data
- Contextual responses and solutions
- Reporting, evaluation, and audit records
Case management workflows are organized but also organic. As a result, case managers may need to revisit or repeat steps to achieve the desired resolution.
Step 1: Screening
Risk screening is the initial case review. It's similar to skimming a book to see if it’s worth reading. Screening goes over a case to see if it warrants further consideration in the case management process.
Some automatic-detection systems have a 95% false-positive rate, with an even higher rate (98%) of cases that don’t necessitate SAR reporting.
It's important not to burden the operations workflow with unnecessary cases. However, it's also essential to do a thorough screening so critical issues aren't missed.
Step 2: Assessment
Once screening eliminates false positives, assessment can begin. This step delves deeper into the data to analyze the case’s scale and scope.
This action gives analysts a comprehensive overview of the customer and their financial activity. Analysts then assess the data and build their case.
Additional information can include third-party relationships, family, and outside financial activity.
After the initial assessment, analysts can determine a risk level for the case. Risk assessment is the foundation of the KYC requirement of an AML compliance program. The level of risk (low, moderate, high) helps shape the response plan.
Heightened case risks can come from customers, financial activities, or third parties, but one factor won’t determine overall risk. Without comprehensive assessments, the defined risk may end up overstated or understated.
Risk levels also help sort cases according to priority. A high-risk case is higher on the priority scale.
Higher-risk cases may need outside evaluation and input. This includes law enforcement, subject matter experts, security consultants, or other external sources.
Step 3: Create a Plan
The next step a case manager takes is to create a response plan. Plans help case managers determine the resources needed to meet their objectives.
Objectives should be clear and have measurable qualifiers in place. The response plan should also follow the AML program's policy and procedures.
Case management relies on dynamic and responsive plans for many evolving scenarios. This allows companies to respond to ever-changing criminal activity. But risk-based strategies should also have a standard outline in place.
If high-risk cases require urgency, case managers have less time for the planning and implementation stages. Plans may also need frequent changes as new information becomes available.
Step 4: Implement
Once the plan is formulated, it can be implemented. This includes:
- Alerting leadership
- Contacting relevant organizations
- Delegating tasks
- Generating reports
- Recommending actions
Successful implementation relies on organizational support. If case managers don’t have the resources to implement a plan, the plan risks setbacks or failure. As a result, if AML cases aren’t managed in a central location, implementation will be slow, disorganized, and redundant.
Like the other steps in the process, implementation benefits from a centralized approach.
Step 5: Follow Up
The follow-up investigates how the implementation performed. It reveals barriers to a successful case and shows if managers lack resources, leadership support, or systematic compliance failures.
Case managers will gather more data relating to:
- Meeting the plan objectives
- Resolving the problems
- Systems and personnel performance
- Compliance conditions met, exceeded, or failed
If plans don’t have measurable goals, follow-up will be more challenging to analyze. Key performance indicators are useless for tracking process improvement if they are vague and subjective.
Case managers may conduct follow-ups and find that objectives weren't met. They can return to earlier stages or look into evaluations to see where it went wrong.
Step 6: Evaluation
The evaluation stage collects independent reviews. Feedback from outside the case management system offers a different perspective. It can help find performance and compliance gaps.
Evaluations also analyze KPIs and determine how, where, when, and why KPIs failed to reach their goals. For example, if KPIs failed due to lack of resources or procedural errors, case managers could use this information to improve AML systems.
How to Create an AML Case Management Workflow
A functional AML case management workflow needs three essential components:
- Authoritative data collection source
- Centralized management
- Automated report process
Fragmented data isn’t helpful for law enforcement. SARs and CTRs (Currency Transaction Report) lacking complete and accurate data won’t win FinCEN’s compliance approval.
That is why AML case management software needs a central interface. In addition, AML case management systems spread across departments and platforms hinder investigations.
Remaining in compliance relies on quick and easy report generation. If one report takes 24 hours to process, case managers lose valuable workflow time and risk due reports on other cases.
To create an efficient AML case management workflow, take these three actions.
Define a System of Record
In data management, the term system of record (SOR) refers to a central or primary storage system. The SOR collects the same data element from multiple sources. This allows users to track data origination and its evolution throughout numerous systems.
As data travels through different systems, it gets modified or deleted. It also becomes more subject to human error. As a result, the original data becomes more challenging to find.
SORs ensure data:
- is traceable
- has integrity
- is validated
- isn’t compromised
- isn't fragmented
- isn't erased
SORs are important to regulatory reporting. Accurate records without data gaps are also paramount for AML case management investigations.
Investigations need comprehensive and accurate data. Without it, they can’t determine false positives from legitimate criminal activity.
Accurate record-keeping is also part of AML compliance. For example, the BSA requires organizations to have records of all financial transactions and KYC information. In addition, the Sarbanes-Oxley Act of 2002 has additional financial record requirements.
Gather and Analyze Data to Flag and Review Outliers
Outlier analysis is the process of identifying data that defies expected patterns. Outliers are the guiding principle for the financial industry to detect fraud and money laundering.
Outliers are how systems identify suspicious activity. They are the transaction monitoring rules for detection, such as unusual deposit amounts or transfer activity.
The outlier data flagged by detection systems provide the case leads. Outlier analysis takes these leads and determines if criminal activity is occurring. This analysis can be automatic or manual, or a combination of both.
Once it detects outliers, AML case management software gathers all the relevant data into one management area.
Centralized case management has many advantages:
- Eliminates redundancy in multiple reports for the same suspicious activity
- Moves information across organizational silos
- Ensures accurate and relevant data is collected
- Provides a comprehensive overview of client information and financial activity
Investigators then connect the data dots. For example, they find links between suspicious activity and customer identity.
They also look at outside behavior and activities. If it all points to legitimate criminal behavior, the case is reported to FinCEN.
Report Suspicious Activity
SAR reporting is a huge part of AML case management workflow. The suspicious activity reporting requirement makes up 28% of compliance costs. Only KYC case management was shown to be more costly than AML case management at 29%.
Many case managers rely on manual or semi-automated reporting systems. However, manual SAR reporting has several drawbacks.
- Increased reporting time
- Increased cost
- Workforce allocation
- Higher chance for human error
- Report inconsistency
AML case management software can cut down on costs and time consumption. It also standardizes reports for FinCEN, law enforcement, and other relevant institutions.
Unit21 offers built-in SAR e-filing to FinCEN, saving hours of manual work per week. Our software can also send reports through the United Nations’ goAML application. The reports are then sent to multiple participating countries.
Case Management Best Practices for Risk and Compliance Teams
Many of these best practices may sound intuitive. However, companies with AML failures can generally trace the failure back to best practice blunders.
Global AML efforts have an abysmal success rate of 0.2%, which begs the question - why are these organizations failing to stop financial crime when they’ve invested billions into highly trained personnel and state-of-the-art software?
Money laundering is difficult to detect by nature. But lax risk and compliance programs make it even easier for financial crime to go undetected and unpunished.
Companies can remedy their AML by ensuring risk and compliance teams have everything they need to succeed.
Here are some tips to follow to ensure the best results.
Know the Regulations
Everyone knows to comply with industry regulations. But not everyone keeps an active watch on regulatory changes.
Financial activities span multiple countries, regions, and jurisdictions in today’s global economy. U.S.-based companies have different state laws as well as federal laws.
Risk and compliance teams must keep up-to-date on regulations to maintain compliance. Lack of regulatory knowledge won't be a good defense in court for companies who lapse on compliance.
Many companies delegate a central authority responsible for knowing industry regulations. An AML Compliance Officer's duties generally include ensuring a company knows current laws.
Outline Company Goals and KPIs
Many companies implement AML solutions piecemeal or through remediation.
While compliance is a necessary objective, companies need specific goals and benchmarks.
AML penalties have resulted from goals that created AML failures. For example, US Bank's Chief Operational Risk Officer was fined millions because he decided to cap transaction alerts instead of expanding case management investigations.
Goals should be based on standards and metrics that:
- Meet compliance requirements
- Effectively detect financial crime
Both these areas must be a goal's foundation. A lapse in either is a company-wide AML failure to regulators.
Company KPIs also help risk and compliance teams meet these goals. Teams rely on benchmarks to prove case management success or identify areas of improvement.
Update Policies and Procedures
Risk and compliance teams should have a working plan for policy and procedures. AML programs are constantly changing.
Many changes aren't updated regularly in company policies and procedures. This hinders training and investigations.
Employees who aren't on the frontlines of case management will quickly get left behind. In addition, using outdated policies and procedures will increase the risk of a company falling out of compliance.
Effective case management relies on company-wide cooperation. Companies don't want employees in other departments using outdated procedures. It will affect investigation quality, speed, and success.
Like regulation updates, it helps to have a central authority whose duties include updates to policies and procedures.
Ensure Proper Training
Many companies limit relevant training requirements to risk and compliance teams instead of including those not directly involved. This creates a defunct compliance culture.
Case management investigations rely on a company-wide understanding of risks and regulations. Companies won't know regulations, policies, and procedures without appropriate training.
Use Case Management RegTech
Case management solutions rely on RegTech improvements. For example, AML works best if it’s predictive and proactive. However, case management in banking often struggles just to manage reactive detection systems. Alternatively, digital FI's can get ahead of competitors by using a machine learning alerts system that uses predictive scoring for improved operational efficiency.
Technology solutions can increase the scale and scope of a case management system. This directly improves AML investigations.
Case management workflows get better leads, investigation time, and report generation. It also reduces the cost and effort of case management compliance.
Risk and compliance teams need scalable AML technology for more demands on AML reporting solutions. Customizable case management solutions also help them manage increasingly complex AML requirements.
Run Independent Reviews
Case management should regularly undergo independent audits and evaluations. Independent review is vital for any process but especially necessary for risk and compliance. The BSA requires independent reviews of all AML programs.
Independent reviews don't have to come from third parties. Anyone who isn't the AML Compliance Officer and their direct subordinates count as an independent source.
Third-party reviews by expert consultants can be beneficial, however. They can spot problems or offer case management solutions from an unbiased perspective.
Stay on Top of Industry Trends
Future trends of AML case management will incorporate emerging technology and expand AML’s scope. As a result, operators in this space must be ready for action.
Current trends for risk and compliance teams to take note of include:
- The development and implementation of low and no-code software that reduces reliance on engineering and offers a more flexible solution than most proprietary solutions.
- Expansion of KYC into more in-depth reviews like KYCC (Know Your Customer’s Customer).
- Evolving rules and regulations for Cryptocurrencies.
- The incorporation of artificial intelligence and machine learning into AML compliance processes.
Case Management in Risk and Compliance: Key Takeaways
When it comes to AML compliance programs, the case management process is key to ensuring the system is both efficient and effective. It's important that you do your best to reduce the cost of your AML compliance programs by using a tool that's optimized for performance.
Here is a recap of what we discussed in this guide to case management:
- Companies are held liable for the high failure rate of AML systems. But, unfortunately, checking off a compliance list won’t save them from penalties.
- A compliance program is ineffective without AML case management investigations. However, investigations need the resources and oversight to be effective on their own.
- Future AML investigations will use dynamic technology to build more responsive systems, which is why our customers have turned to Unit21 for their AML Case Management. Request a demo today to learn more.