“Health checks and maturity assessments are the first steps in assessing a firm’s financial crime (FC) framework because it depicts the current state of a firm’s controls and the level of regulatory compliance. Furthermore, the main purpose of health checks and maturity assessments is to benchmark and test against a firm’s existing standards, global standards, where applicable, and most importantly, against regulatory expectations”, stated Gabriel Cozma, Head of Consulting Strategy, Innovation and Methodology at the Lysis Group.

‍

High level and detailed reviews

A health check refers to a high-level review of the design of a firm’s FC framework and can identify possible gaps. A maturity assessment is more advanced and provides a detailed review of a firm’s framework which includes the testing of the effectiveness of the framework itself. Independent testing of a firm’s FC framework is a very important requirement from regulators to show that all controls are indeed effective.

Gabriel explained that “Health checks and maturity assessments can highlight the gaps and improvements needed for a firm to implement a robust financial crime framework, including early interventions and long-term interventions within which the controls environment can be improved for a firm to become and remain compliant in a cost-efficient manner. By not addressing the core problems of a FC framework, the result could be a thematic review and hefty fines as well as a reduction in efficiency and higher costs in the long run. This in turn can affect the firm’s bottom line negatively.”

‍

Taking proportionate measures

Firms evolve and mature over time which are generally associated with change. This could include the appointment of new management, mergers, acquisitions, or compliance with new regulatory requirements. Therefore, firms must take proportionate measures, in line with their existing and new levels of risk, to satisfy regulators and demonstrate that their controls environment remains effective, and this is where health checks and maturity assessments can play an important role.

Gabriel further pointed out that “Health checks involve a review of a firm’s controls that are embedded in a financial crime framework. You want to assess if the design of a firm’s financial crime framework is fit for purpose and meets the regulatory expectations or any kind of commitments that were made to the regulator.”

This consists of a high-level overview that determines whether a firm has a policy framework in place and if so, the design of the actual policies is reviewed to determine if the firm complies with regulatory expectations regarding policy coverage and content. Some of the policies that must be included in a firm’s policy framework consist of Anti-Money Laundering (AML) policies, Sanctions policies, Anti-Bribery and Corruption (ABC) policies, Anti-Tax Evasion (ATE) policies, etc.”

The high-level review consists of three aspects. The first includes the actual review of policy documentation. Policies must be documented and aligned with the firm’s standards across all the business sectors.  

Once this process has been completed, the second aspect involves policy recommendations that will be in line with the required standards of the firm and the regulatory requirements. An example thereof could include a firm’s AML policy which might contain all the required components but might not be detailed enough or the policy could be too detailed which would require sections of the policy to be hosted in a separate document or included in underlying, supporting documents such as procedures. It is absolutely essential to have a clear concise and complete policy in place which specifically addresses the risk in a proportionate manner.

From a policy coverage point of view, if a firm’s business model is more complex, for example an investment or retail bank, it might be wise for the firm to compile one policy for all business streams but separate standards and underlying procedures for each business stream because each stream will have very specific requirements e.g., digital complexity, the different product offerings in each business stream etc.

‍

Meeting specific criteria

The completed questionnaire and documentation that a firm provides, as part of a high-level health check, will also reveal if the firm meets certain criteria including how controls are being implemented for example, the level of detailed screening of payments and clients, the effectiveness of transaction monitoring and the escalation process in relation to the operational tools that are utilised for these activities.

Specific criteria could further determine if a firm is addressing their levels of risk in a consistent manner when making use of the available operational tools. This could indicate if a firm can control the effectiveness of its processes by having the right rules, the right tuning process, and the correct thresholds, as part of the transaction monitoring process. Once the output is delivered in terms of alerts, a health check can also determine if a firm has the right process in place to manage these outputs effectively and efficiently to avoid the firm running into possible alert backlogs.

The third aspect of a health check consist of addressing all the identified gaps, based on recommendations made. The corrective actions should primarily be owned by the business in the First Line of Defence and/or by the Second Line of Defence and be implemented within a specific timeframe to signal commitment. Once the recommendations have been implemented, they must be tested to determine their effectiveness and this process can be repeated several times to test all related controls.

‍

The devil is in the detail

Gabriel stated that “Although health checks and maturity assessments both address gaps, maturity assessments include the testing of policies because ones the policies are in place, they must be embedded in a firm’s financial crime framework. Embedment refers to the policies not only being adopted by the firm but also forming part of the business as usual (BAU) processes of the business operations. This is key because it displays the level of maturity of the firm where ideally, the controls are firmly embedded in the BAU activities, resulting in increased consistency and effectiveness of controls, and driving efficiencies.”

Assurance consists of more in-depth testing of a firm’s controls and can result in two types of reviews which include the design and the effectiveness of the implementation and then a rating is applied which serves as a “bill of health” for a firm’s financial framework.

Gabriel added that “Controls are tested to determine if they are indeed effective and do what they are supposed to be doing. One way to determine this is to review the design of the controls but when firms deal with real data, they might find that even though the controls are in place, they do not perform optimally when benchmarked against peers or against expectations. This could imply that the underlying data is either unreliable or that the configuration of the operational tools are not correct and must therefore be addressed in terms of data shortcomings or more refined thresholds to meet the expected benchmarks.”

‍

Benchmarks serve a specific purpose

Everything must be measured because the benchmarks are there for specific reasons. Benchmarks ensure that the minimum requirements, as set out by regulators, are met. This is done through several processes including “clear and comprehensive testing” where various tools and methodologies are applied during the testing phase. One of the methodologies consists of “testing your own rules” where a third-party provides a sample set of data which is tested to determine the integrity of the firm’s own data in relation to the benchmarks.”

It is important that testing is completed within a specific timeframe to ensure the integrity of the findings. Testing timeframes are normally specified in Service Level Agreements (SLA’s) because if the testing process takes too long, it will lose credibility and the results will be compromised.

Gabriel concluded by saying that “As financial crime compliance experts, the Lysis Group has the know-how to conduct health checks and maturity assessments across the Customer Lifecycle. For example, a firm will have a standardised process in place for their KYC operations and Lysis can test the quality of output by reviewing sample client files and comparing the quality of output with our own findings, using very specific benchmarks. The quality of transaction monitoring outputs can be tested in the same way. When a firm’s manual or automated KYC and transaction monitoring systems are tested, this usually takes place within a “sandbox” test environment which is normally provided with the support of specialist third parties.”