Partner & Director
In 2021, the Central Bank of the UAE (CBUAE) published several regulations and standards for the banking sector. These encompass several key areas of financial regulation, including anti-money laundering (AML), consumer protection (CP), and data security (see Exhibit 1). Some of the new anti-money laundering requirements present significant operational challenges. In order to comply, some banks may need to revise their transaction monitoring (TM) systems and compliance organizations. Still, with the right approach, they can design resilient, future-proof compliance target operating models that meet or exceed regulatory expectations.
The AML & Combating the Financing of Terrorism (CTF) landscape is seeing rapid change, with the CBUAE actively strengthening its regulatory framework and bolstering its oversight activities, also following the outcome of the 2020 Financial Action Task Force (FATF) mutual evaluation. We should therefore expect the UAE to take further action to address identified topics and comply with and the FATF Recommendations.
The CBUAE has already shown that it will not hesitate to enforce its AML requirements. Indeed, it has imposed fines totaling more than AED82 million (US$22.48 million) on 12 banks1 Notes: 1 “CBUAE imposes financial sanctions on 11 banks operating in the UAE“; “CBUAE imposes monitoring and financial sanctions on a bank operating in the UAE” and 6 exchange houses2 Notes: 2 “CBUAE imposes financial sanctions on six exchange houses” since the beginning of 2021. At the time of writing, the most recently published was a fine of AED19.5 million imposed on a local bank for AML failures.3 Notes: 3 “CBUAE imposes monitoring and financial sanctions on a bank operating in the UAE” These financial penalties, while still relatively small compared with those in the US and EU,4 Notes: 4 SEB Bank fined $107 million for AML failures send a clear signal to the UAE financial services industry that compliance failures will not be tolerated.
Over three months from June to September 2021, the CBUAE published or updated at least six different guidelines on AML topics applicable to banks, including:
The guidelines provide additional clarity on the preferred risk-based approach and standards expected of bank AML and sanctions programs. However, they also introduce new requirements, some of which may present substantial operational challenges.
One of the most notable changes was brought about by CBUAE Guidance on Suspicious Transaction Reporting. The Guidance introduced a requirement to file suspicious activity/transaction reports within 35 days of a first alert (including 20 days for analyzing the alert and making a decision on whether it warrants an STR/SAR filing, and an additional 15 days for preparing and filing the STR/SAR).7 Notes: 7 Article 4.6 of the AMLCFT Guidance for LFIs on Suspicious Transaction Reporting To many banks, this presents the prospect of a difficult transition, which may require a full revision of the AML compliance organization and, more specifically, transaction monitoring and screening frameworks.
Changing or upgrading a transaction monitoring system may take years whereas the CBUAE gave banks a grace period of one month to comply with the Guidance on Suspicious Transaction Reporting (including the 35-day SAR/STR filing rule). To many banks, especially those that use fewer automated solutions for transaction monitoring, a natural short-term solution may be to hire additional staff to increase the speed of processing SAR/STR alerts. However, there are challenges associated with this approach.
First, any transaction monitoring system lacking automated solutions is likely to be ill-suited to the fintech revolution already underway in the UAE financial sector. With fintech solutions and digital distribution channels positioned to deepen their banking penetration,8 Notes: 8 Source: CBUAE Financial Stability Report 2020 the number of banking transactions is likely to rise. In the absence of advanced technology solutions for automated detection and analysis of SAR/STRs, these trends are likely to result in a growing number of STR/SAR alerts, creating an ever-increasing demand for compliance resources. Coupled with the CBUAE requirement to avoid defensive filing,9 Notes: 9 Article 3.3.1 of the Guidance for LFIs on Suspicious Transaction Reporting banks must strike a delicate balance between maintaining a team of professionals sufficiently qualified to process and escalate alerts (to the satisfaction of the CBUAE) and managing budgets and risks associated with hiring more compliance staff. The CBUAE itself has emphasized that the effectiveness of manual analysis is undermined by the complex and evolving nature of financial crime risks.10 Notes: 10 Article 2.6.1 of the Guidance for LFIs on Suspicious Transaction Reporting
There is another reason why simply hiring additional staff for manual alert processing in lieu of automation may not be the best approach in the longer term. Traditionally, the primary cost-benefit of this approach was derived from relocating or outsourcing operational tasks (such as level 1 alert analysis) to offshore locations with a lower cost of labor. However, other regulatory changes introduced by the CBUAE may restrict cross-border transfers of data out of the UAE, prompting banks to reconsider the benefits – and risks – associated with offshoring.
In 2021, the CBUAE issued several regulations and procedures that had a direct impact on offshoring arrangements, including:
While these impose a variety of requirements, we here focus on those that may have implications for offshoring or outsourcing compliance tasks to another country:
It remains to be seen how these requirements will impact offshoring arrangements for operational compliance tasks such as SAR/STR alert reviews. There may still be alternative solutions (e.g., offshore staff working remotely through the cloud on data physically stored in the UAE). However, the key question would be whether such solutions are justified from an effectiveness and efficiency viewpoint, considering the associated HR, operational, and regulatory risks.
An alternative solution for meeting the new CBUAE alert handling timelines would be taking a two-pronged approach, combining automation and process optimization. (See Exhibit 2).
Gradual, carefully-planned implementation of Machine Learning (ML), artificial intelligence (AI), and Robotics Process Automation (RPA) will be increasingly critical to tackling the AML challenges of tomorrow. The CBUAE acknowledges this fact in its guidance on Transaction Monitoring and Sanctions Screening, making it clear that it expects larger financial institutions to put automated transaction monitoring systems in place.11 Notes: 11 Article 2.2 of the Guidance for LFIs on Suspicious Transaction Reporting
Initial deployment of automated tools for alert analysis requires a certain pre-existing level of digitization readiness and usable data, as well as senior management support. However, if implemented effectively, it has the potential to dramatically shorten alert handling timelines and reduce false positives. Below we gather four of the many possible use cases for automation in TM:
While RPA, ML, and AI-powered solutions present numerous operational opportunities, one flip side is their lack of transparency. All decisions are made in a “black box” and are not immediately visible to human observers. This lack of clarity should be addressed by documenting the processes and procedures for setting and calibrating the rules, thresholds, and filters used by the automated TM system, and fully aligning them with AML policies and procedures, as well as regulatory requirements. It would also be a mistake to think that automation implies the elimination of human resources. Banks require qualified staff with sufficient levels of expertise to work with, maintain, and periodically test TM systems, as well as to carry out regular reporting to senior management in line with CBUAE requirements. Continuous targeted staff training and upskilling will be key to the success of an automated TM program.
In summary, when implemented effectively, automation of TM systems, coupled with process optimization, can help unlock the following key benefits:
When comparing compliance approaches to individual regulations, the temptation is to opt for the quickest and simplest solution that checks all the regulatory boxes (at least for the time being). This is particularly the case given the tight implementation deadlines typically set by regulators. However, quick solutions often do not withstand the test of time and run the risk of eventually crumbling under the weight of ever-increasing regulatory demands. As we have seen, a TM system lacking automation tools for alert detection and analysis will be much more difficult to maintain in the longer term if the banks’ customer base and transaction volumes continue to increase.
For a bank to deploy state-of-the-art automation solutions, it will need robust planning, cross-functional coordination, and the necessary compliance organization to undertake project management. The effectiveness of any TM system (even the most advanced) will depend on the operating environment in which it is maintained. A good compliance operating model should serve as a backbone for regulatory adaptations, and this should take into account not just immediate CBUAE requirements but also the key objectives and overall direction of regulatory policy and industry trends, both in the UAE and globally. Once the system is built and implemented, any future regulatory adjustments become much easier to implement in a relatively short time frame.
With the right amount of effort, a compliance TOM can be built in three stages:
Stage 1. The starting point is a holistic “health check” of the current compliance operating model across five key dimensions:
The TOM design in Exhibit 3 provides a reference for the structure of key assessment components. The recent CBUAE regulatory developments cut across all five dimensions. However, a comprehensive diagnostic test would also highlight other areas of the compliance organization requiring attention, beyond those impacted by the regulations.
Stage 2. If any gaps are found, banks should undertake a qualitative assessment to identify underlying reasons and elements necessary to close the gaps. For example, if the bank is storing data in several different IT systems, there is a case for creating an integration layer for feeding data from those systems into a screening tool. The CBUAE encourages banks and LFIs to review their TM programs at least annually.13 Notes: 13 Article 2.6.2 of the Guidance for LFIs on Suspicious Activity Reporting
Stage 3. Once the required remediation actions are defined, the final step should be to prepare an implementation roadmap detailing the time and resources required to build the target operating model.
As the pace of regulatory change accelerates, banks in the UAE need to learn quickly how to adapt to new requirements. The trend is likely to continue, not least because the CBUAE is facing emerging AML challenges. Having reviewed different approaches to addressing the new suspicious-activity reporting requirements, we conclude that automation, coupled with process optimization, presents a potentially effective combination for reducing alert handling timelines and future-proofing AML TM systems. However, these cannot be implemented without a forward-looking target operating model, which should serve as a foundation on which an effective AML program can be built. The roadmap described here should provide a useful reference for addressing immediate challenges and building a solid base on which to prepare for the regulatory challenges to come.