Risk Management Never Been So Simplified

From the previous article, we have come to known that why different regulatory bodies want to implement goAML and why they are pushing different financial sectors to implement them. However, the problem occurs when the expectation of regulatory bodies does not match with the reality of financial institutions. We are going to share some problems that most financial institutions(FIs) may face at the time of implementing normal along with their solution.

1. Gap Analysis:

In a simple sense, goAML is nothing more than reporting transactions online rather than manual reporting. The problem arises when organizations need to provide the information that they have never bother to collect from a customer or input into the core banking system. For instance, providing information about conductor details like name and phone number. That being said, your first objective here is to identify, what additional information is needed from the goAML perspective. In this sense, you need to first carry a gap analysis to identify what information you require for goAML.

2. Technical Feasibility

Now, let’s look at the second problem. To put it bluntly, we really don’t know how our Core Banking System(CBS) work. Most core banking systems are designed to carry out financial transactions only. However, many Fis try to customize CBS for KYC management, for which it was not built in the first place.

 CBS is a closed system and it should be a closed system. The vendor does not allow any customization in that system but they allow initially at the time of implementation even though, they know that it will bring complexities later. They do this because they need to sell their product.  CBS is a system that is composed of various modules where each module is responsible to handle various transactions and these modules are interrelated, therefore, if you make changes in the module it is going to affect others. Since, in the beginning, the organization is not carrying any transaction, so changes made will not have any significant effect, but later it might, hence, the vendor or your IT department may be reluctant for the change.

Therefore, a better method is to have a separate KYC system that is linked to CBS through API. There should be a separate database which will combine the information from both of these systems so that you can generate XML files for  GoAML reporting purpose.

3. Root Cause Analysis

Ok you have required fields in the CBS system will that be sufficient, well no, you need data, only then you will be able to succeed in goAML reporting. Again, who provides the data, customer of course but it should be inputted by your front line staff. If your front staff is not educated about this or unaware of the value of the data they will not be interested in putting data.

There are organizations that have large goAML screening teams of up to 20-30 staff whose main responsible to dump the goAML report from the system and check for incomplete and inconsistent data. This is a complete waste of time because you are not trying to fix the root problems. The main problem lies with your front line staff. If you are suffering from any instance of incomplete or inaccurate data then there is a problem with your front-line staff. It means either they are not educated or they don’t how to identify, collect, and input data from KYC documents or transaction vouchers into the system, and in some cases may be just negligent. Once you identify this problem, you need to solve these issues by providing them with rigorous training, developing different types of checklist regarding how to fill information in the system, or customizing the system itself to make it user friendly. Even after this, your staff makes mistakes then you need to set an example by taking disciplinary action, to give a message to other staff that you have adopted Zero Tolerance Policy for goAML.

4.Lack of clarity of scope.

Regarding goAML, there is always confusion regarding the scope of AML/CFT or Compliance department, Operation department, IT department.  From the GoAML perspective, you need to understand this clearly from the very beginning, as AML/CFT or Compliance department your role is to perform a gap analysis between the requirements of GoAML and  CBS to identify what additional information is required. You need to communicate these requirements to your IT  and Operation Department. IT department is solely responsible to handle technical parts like creating additional fields in the CBS or build separate systems if required. Now comes the role of the operation department, it needs to develop checklists, educate front line staff on how to carry out transactions, and inputting information in the system completely and accurately. AML/CFT or Compliance Department will play an oversight role to see if all the activities are being carried out to meet the GoAML goals if there is any deviation, corrective measures should be taken. Therefore, it is the utmost requirement that the AML/CFT or Compliance department will call meeting with these departments on a frequent basis to obtain the status of the progress.

However, this is a very ideal situation, the situation is aggravated when there is a lack of coordination exist between these departments and the blaming game starts. Every department has the excuse that they are unable to do so and so because other departments did not cooperate with them. Thus, although the individual department may win by playing this game, the whole organization will suffer.

[stextbox id=’alert’]ARE YOU PLANNING TO TAKE ANY PROFESSIONAL CERTIFICATION EXAM LIKE CAMS, CISA, CISSP, CER OR OTHERS, SOONER OR LATER. TO HELP YOU IN THIS JOURNEY, WE HAVE JUST A MOBILE APP FOR YOU, WITH TON OF FEATURES AND “ABSOLUTELY FREE”.ALSO, CHECKOUT OUR YOUTUBE VIDEO PRESENTATION FOR THIS APP WHICH ALSO INCLUDES GREAT TIPS ON PASSING THESE EXAMS. [/stextbox]

5. Lack of Top Management Commitment

This mostly happens when the vision of top management is myopic as some management are business motives so compliance may be of less priority. The goAML is usually carried as a national-level project by the government which is headed by the FIU of the country. FIU of the respective country usually forces compliance/AML-CFT staff of the organizations to carry out the goAML activities but if the top management is not motivated, they cannot do much. Therefore, FIUs should instead try to make top management aware of the consequences of not able to complete goAML project. It is of great importance that the tone from Top management should be set in such a way that, it must be clear throughout the organization that management is going to do whatever it takes to make the goAML project successful and any non-compliance will be severely dealt with.

if you are going to implement goAML in your organization, trust in this, it is going to be one hell of a ride. However, if you have gone through our article and training videos then we can assure you that your journey will be a comfortable one.

Thank you for your time. Please do like and share this article if you have found it useful.

ABOUT AUTHOR Kiran Kumar Shah https://learnwithsiorik.com/tutors/

If you are in the financial institution sector, you must have heard the term GoAML. This two-part article series will explain what is GoAML, why was it introduced, what are nuts and bolts behind it.

 What is goAML?

GoAML application is one of out of many solutions provided by UNODC to combat worldwide financial crime in the areas of money laundering and terrorism financing. It is the integrated database and highly intelligent system pioneered by Enterprise Application Center Vienna(EAC-VN).The Enterprise Application Center Vienna(EAC-VN) of the United Nations Office in Drugs and Crime(UNODC) specializes in the development, implementation and support of GoAML used by its Member states.The goAML application is available to Financial Intelligence Units of Member States as of March 2020, out of 111 Member FIUs, 49 have already deployed goAML.

FIU and goAML

As you all know that FIUs play vital role in preventing money laundering and terrorism financing. They do this by collecting, processing and analyzing suspicious activities report that they receive from financial institutions or other entities as per AML/CFT laws of the regime. GoAML will act as central repository to create database of reports on such SAR/STRs.Then after GoAML performs following functions

1. Collection: It receives the SAR/STRs submitted by FIUs
2. Analysis: FIU will then perform different types of analysis based on different scenario and carries out risk scoring and profiling.
3. Data Sharing: The data is exchange between  FIU and regulatory bodies, intelligence agencies or international bodies on the basis of mutual agreement.

Demystifying goAML

The GoAML system has built in 14 separate functions into one software which includes data collection, data evaluation and clean up, ad-hoc queries and matching, statistical reporting on information/reports received and processed, structured analysis, account profiling, rule-based analysis, workflow management, task assignment and tracking, document management with full text search capacity, intelligence file development and management, data acquisition/integration from external sources, integrated charting and diagramming and an intelligence report writer tool.

The goAML system is driven by a security model that specifies the kind of access rights each user has, and which provides an audit trail and log details for every transaction performed by all users. The goAML solution is well suited to both low and high data volume environments.

   GoAML stores following types of report received by FIU:

1. Cash Transaction Reports (CTR).
2. Suspicious Transaction Reports (STR).
3. Unusual Transaction Reports (UTR): UTR relates to all unusual (cash) transactions that might be suspicious.
4. International Funds Transfer (IFT): IFTs are the in which money is sent to from one country to another.
5. Cross-Border Report: Transactions that involve sending or receiving money across borders.
6. Additional Information File (AIF): AIFs are replies to requests for information when the analysts require more details on transactions, involved persons, accounts, or entities.

It also interesting to note that FIU of different countries has different level of maturity. The competency, availability of resources to one FIU may be different from other FIU in another country. FIU Information System Maturity Model (FISMM), developed by the Egmont Group of FIUs, is a comprehensive framework to enable FIUs of varied sizes and contexts to assess the maturity level of their processes and IT systems. Five types of FIUs (in terms of FIUs of sizes and contexts) have been identified:

1. Small FIUs in fragile countries
2. Small FIUs in stable countries
3. Average FIUs
4. Big Data FIUs
5. FIUs supporting a distributed user community or distributed financial institutions

In line with this different architectures of GoAML has been develop to support different level of FIUs, they are also of five broad categories.

1. goAML in the box for small FIUs in fragile states;
2. goAML SE for small FIUs in stable countries;
3. goAML SE – goINTEL for average FIUs;
4. goAML EE for big data FIUs; and
5. goAML D for FIUs with distributed user community and/or distributed financial institutions (with commercial/financial free zones)

The main purpose of GoAML is to:

• Facilitate various countries in meeting international standards through creation of  effective Financial Intelligence Units (FIUs)
• Develop standard global anti-money laundering platform
• Create customize system to meet  needs of any type of FIU
• Become User Friendly by providing standard graphical user interface
• Develop more user base.
• Promote good relationship with many international and regional institutions

Technicality:

So in simple words, goAML is online reporting of your regulatory reports mainly TTR and STR. This is done via XML file. You will have AML solution system which will generate transaction reports that are in the XML format and the same XML file will be uploaded. For those who are not aware of XML, let’s dig it little deeper.

XML is short form of eXtensible markup Language and it was designed to store and transport data. It does not do anything, it is information wrapped in the tags. For example:

<email>

<to> Mr.Bond</to>

<from>Dr.No</from>

<heading>Spectre</heading>

<body>No on Lives Twice!</body>

</email>

The above tags are not defined in the XML, they are invented by author(Dr.No in this case) to carry information from one system to another. These tags in XML file as a whole refers to element. These element can contain text, attributes, other elements. In this case<email> is element which contains text tags like <to>,<from>,<heading>,<body> and it contains text information.XML stores the data in plain text format so exchanging between different system is simplified.

XML Schema

For every XML file there should be XML schema, For the above XML file , the following is the XML schema.

• <xs:element name=”email”> defines the element called “email”
• <xs:complexType> the “email” element is a complex type because it includes other types of elements/text within its tag.
• <xs:sequence> the complex type is a sequence of elements i.e different tags
• <xs:element name=”to” type=”xs:string”> the element “to” is of type string (text)
• <xs:element name=”from” type=”xs:string”> the element “from” is of type string
• <xs:element name=”heading” type=”xs:string”> the element “heading” is of type string
• <xs:element name=”body” type=”xs:string”> the element “body” is of type string

Therefore, XML schema is a syntax for XML file. For e.g, in <body> tag, if you supply numerical input, then your XML file will not be validated because <body> tag only accepts data in string/text format. So, if there are data error in your XML file then your XML file will not be validated because it will inconsistent with XML schema.

Validating XML file

1. Regulator Site:

Most probably your regulator will have provided the site in which you can validate your XML file for any errors. You need to copy/paste your XML file and click on submit/validate button to check XML file for any errors.

2. Online Site:

There are various online sites that provide the same facility as your regulator site. Here, they have option to upload XML schema file in one section and copy paste XML file in another section. Then you can validate those files. However, caution is required here, since the you are trusting your confidential data to unrelated third party, so confidentiality of the data may not be guaranteed.

3. Plugins

If you are using Notepad++ or other software for editing XML files then you have option to install plugins to upload XML schema file for validating your XML files.

However, with all the above options, there is one flaw. These options are only suitable if you are trying to validate XML files one at a time. Remember, you may have hundred of XML files for TTR and STRs reports. It will be time consuming to validate each XML files one at a time. Therefore, you may need to contact Vendors who can provide you with bulk validation of XML files.

4. SIORIK goAML Bulk Validator:

We have also launched a product called SIORIK goAML bulk validator, the main feature of this product is that you upload the whole  folder of XML files and verify it against the XML schema. Further, if you are involved in Nepalese Banking and the financial institution, we have good news, with the purchase of this Bulk Validator, we will provide you with customized XML schema which is an improved version of XML schema provided by FIU. It detects inconsistencies like a missing source of fund, permanent address as well as whether the PAN is in numerical format or not. If you want, you can purchase this product by clicking here. The following video shows the demonstration of this product.

In the next article, series we will discuss, what problem do usually financial institutions face while implementing goAML in their organization.

Thank you for reading. Please like and share this article, if you have found this article useful.

[stextbox id=’alert’]ARE YOU PLANNING TO TAKE ANY PROFESSIONAL CERTIFICATION EXAM LIKE CAMS, CISA, CISSP, CER OR OTHERS, SOONER OR LATER. TO HELP YOU IN THIS JOURNEY, WE HAVE JUST A MOBILE APP FOR YOU, WITH TON OF FEATURES AND “ABSOLUTELY FREE”.ALSO, CHECKOUT OUR YOUTUBE VIDEO PRESENTATION FOR THIS APP WHICH ALSO INCLUDES GREAT TIPS ON PASSING THESE EXAMS. [/stextbox]

Next Article: Problems on Implementing goAML