Below are audience questions and our presenters' answers from the FinScan webinar, “Challenges and Best Practices of AML Screening -- Part 1: The Importance of Data,” January 30, 2020. We've also included poll results from the live webinar.
Legal disclaimer: The information contained in this question and answer is the professional opinion of the presenter and not that of Innovative Systems, Inc. and is provided to you for informational purposes only. The information is provided to you “AS IS” and does not constitute legal advice. Innovative does not provide legal advice and Innovative is not a law firm. Innovative makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information. You should not rely on this information without independent verification and consultation of your own legal counsel.
Currently, which software solutions are the best in terms of screening?
There are many commercial screening software products on the market, but we recommend software that has the following capabilities:
- The software should be able to handle bad data and address your data quality issues.
- The software should have a granular matching algorithm so that you can easily specify what kind of alerts you want to see. Also, having a transparent matching algorithm makes it much easier to configure and fine tune the matching rules.
- The software should have sophisticated compliance list integration capabilities. It should be able to take advantage of all the data in the compliance lists. It should also allow you to pick and choose which data matters to your risk-based approach and block out the “noise” that you don't care about during the screening and alert review processes. How the software is integrated with the list database could also affect the timeliness of your list data updates and how quickly you can run your batch screening.
We have found that these three capabilities are crucial to reducing false positives and accurately identifying the risk you need to be alerted to. These are capabilities that FinScan focuses on to help our clients achieve the best screening results.
What are some of the best practices to prevent false positives?
Just like when you are building a house, it's important that you start with a solid foundation. In the screening process, you need to address your underlying issues. This means making sure your input data is free of errors and prepared and optimized for the best screening results. Advanced screening systems should include a strong data quality capability as part of screening process. See the previous answer for more information on the best practices that we at FinScan deploy to help prevent false positives for our clients.
How can we minimize human error when the client provides the information?
Intelligent tools can identify data quality issues and address them as part of the screening process. However, there might occasionally be data quality issues that cannot be fixed, such as missing data and dummy data. In this case, knowing the level of quality of your data and accounting for the condition of your data in your matching process can greatly reduce your exposure to risk as well as minimize the amount of false positives you will get. In addition, knowing these issues also allows you to go back to other departments that are gathering the data, e.g., onboarding/account opening – and provide feedback on their processes.
In most FIs, which department is responsible for data accuracy? Operations team? IT team? Compliance team?
The departments that are responsible for data accuracy might vary depending on the institution. There could be an IT department, an AML IT team, or even a separate Data team to take care of the data for the entire institution. However, no matter which team is responsible for data accuracy, we believe that Compliance needs an easy lever to control their own data quality since the data within a company is usually not built for compliance purposes. Rather, the standards are established for Marketing, Customer Service, or other operational purposes. Compliance has specific data needs. If the screening process misses a real hit or the screening system generates too many false positives due to poor quality data that is not optimized for compliance needs, Compliance often is the one that is responsible for the consequences of the bad data. This is the reason why FinScan conducts a compliance-specific data optimization step as part of the overall screening process.
What challenges do you face when trying to address your data issues for compliance purposes?
What would be the best practice to verify addresses?
The best way to verify addresses is using an Address Verification System (AVS). These systems have databases of valid addresses that they check against to make sure an address is not only in an acceptable format, but is a registered address in the country provided. We offer an AVS called PostLocate® that is an up-front processing tool for verifying addresses.
One rather large root problem not mentioned with Data Quality is with the first line of defense, the LOBs (Lines of Business), not obtaining all the proper KYC information in the first place. Training is either not getting through or not understood, and senior leaders at the top of the Business do not stress the importance of, and issues with, not complying with these policies and rules. Compliance is everyone's business!
We agree with your comment! Because Compliance cannot always influence how things are done in the first line of defense or the LOBs, it's important for them to have their own tool to control the quality of their input data that impacts the compliance processes. Here at FinScan, that is what we try to provide – a Data Quality tool built for compliance purposes that is easily controlled at the compliance level (e.g., watch list screening).
Let’s say two areas of an organization are screening the same individual. Is this a valid scenario? If yes, will that be termed as duplicate screening as well?
Yes, this is a very valid scenario and is a case of duplicate screening. FinScan connects the duplicate alerts so that when one person is reviewing a hit, that person can know where else in the company that same hit has come up or will come up. This provides a holistic view of the alert and your risk exposure.
One question regarding DOB – There is often discrepancy with DOB formats in American and EU formats (MM/DD/YYYY) and (DD/MM/YYYY). Screening twice with the two formats creates more duplicates. Any comments to avoid this?
This is why we recommend standardizing your DOB to match the format that your list data is in. You need an apples-to-apples comparison between your customer data and the regulatory list data. Otherwise, you will generate excessive false positives or miss a real hit. The first step is to conduct a data analysis on your customer or internal data to understand the consistency or lack thereof within your data. Then you can get a better feel for how to standardize it. FinScan can help you standardize the DOB formats across your organization and also match the format to that of the list data for an accurate comparison. This will eliminate the need to conduct duplicate screening and will minimize the risk of missing real hits and creating false positives.
If you look to add Compliance-specific data preparation and you are screening in real-time, what type of delay do you add to accomplishing the required screening?
Compliance-specific data prep should not add any delay to your screening process.
Can you address the scenario of an institution outsourcing IT, therefore relying on audits of the IT service provider to ensure data quality?
No matter where your data quality is being addressed (i.e., in-house vs. outsourced), the best practice is to check again at the point of screening to ensure that it is truly optimized for compliance purposes. Unless your outsourced IT service provider is working solely for your team according to your compliance-specific data quality standards and needs, you will most likely need to further optimize that incoming data to prevent false positives or false negatives.
What is the best way to record a third party transaction, as most programs have only one field for name and last name whilst the customer at the counter represents another person whose name should also be recorded?
We cannot speak for other programs, but FinScan can ingest records that have multiple names. FinScan identifies all the names in a record and screens each name separately against the regulatory/compliance list data and alerts you if there is a match.
Are there standards for naming conventions, especially where there may be spacing limitations, i.e., first name max 30 characters or first 30 characters?
We suggest dropping all unnecessary words such as titles, appendages, etc. and sticking to just fundamental name elements such as first and last names or just organization names. It also helps to standardize words like CORPORATION to CORP or INCORPORATED to INC.
Regarding your example of “Sharp Corporation”, “Sharp” is an extremely common word. Wouldn't searching just "Sharp" cause a slew of false positives/noise?
The word "Corporation" is also a very common word and is attached to many organization names. Our experience has been that removing the word "Corporation" reduces false positives better than leaving it in.
Request Your Data Quality Analysis!Let us show you, using your own data, how properly preparing the data for compliance screening can reduce your false positives and risk by as much as 50% over your current solution. Click here to learn more.
Do you customize a database based on a country's regulatory requirements?
We make sure that the different regulatory requirements of the jurisdiction that the institution is in, such as different regulatory lists and requirements for screening, are captured during our implementation and also on an ongoing basis. We also conduct a data analysis on the internal customer database files to identify any unique requirements that need to be addressed before screening takes place or that need to be accounted for in the matching rules.
Does FinScan's product offer an "AML Internal Audit Function"?
Our Professional Services team can test your screening set-up before it goes live. Our process is such that any matching rules or changes in the rules go through rigorous validation and testing before they are put into production. We also provide regular “health checks” to ensure that FinScan match rules are performing as expected and fulfilling all customer requirements.
What do you consider to be the biggest challenge in reducing false positives and identifying true risk?
My company already has data quality controls at the core system. Why do I need FinScan Premium in this case?
We analyze a lot of companies' data that's used for compliance. Even though companies may have data quality procedures or controls at their core system level, they may not be suitable for Compliance monitoring purposes. That's because those databases were meant for marketing services or operational purposes other than compliance, so when the data is used for screening, it's not “fit for purpose”. Hopefully, our webinar showed why data might perform fine in some use cases, but when Compliance needs to use it, it may not be useful. More importantly, it may cause major problems down the line – i.e., either you get alerts that are not necessary (false positives) or you could be in a situation where you think you are screening correctly but there is additional hidden data in the records that is not being screened. The consequences in this case would be that you are missing real matches against sanctions or other lists.
If we receive incorrect, missing customer data from the customer, is that our responsibility to realize that it's incorrect?
It would most likely be the financial institution’s or the company’s responsibility. If you, as a company, have application forms or customer identification/due diligence forms that ask a number of questions and they are returned without the information, or if there is further data that your policies and procedures require you to collect but you don't do so and you don't identify that data as missing, then the responsibility will rest with you. It's up to the organization to make sure they have the right data from the customer and then screen it correctly after that.
Screening software would remove noise words, but what about normal words – how do we clean those to get fewer false positives?
Data quality processes are needed to ensure that your data is in good condition. FinScan can address your internal data quality issues as part of your screening process so that you don't have to worry about cleaning your data yourself. Please see the examples in the webinar as well as on our website.
How often do you integrate data from OFAC and other entities in your solution?
FinScan updates the majority of regulatory list data on a daily basis. This includes OFAC, HMT, EU, FATF, FinCEN, etc., as well as enhanced third-party databases such as World-Check and Dow Jones watchlists.
Does the FinScan solution provide an audit trail?
Yes, FinScan provides audit trails on all user actions. If you have a specific question, please contact us at firstname.lastname@example.org. We'd be happy to discuss your needs.