Building AML Software
There are several aspects that aggregate in order to procure a successful AML network, each playing its own intrinsic role. Based on industry and business model this could heavily vary from organization to organization. There are several factors that remain prevalent in every successful implementation however, some of which have already been examined in the prior text. The most important implementation to any business however is well-formed KYC policies, for a variety of reasons. In every organization, there should be some effort driving risk management practices, most businesses will find that they already have some sort of rule set and business logic to ensure that the organization is not becoming a vehicle for illicit financing and laundering. Regulation on this particular concern have become increasingly strict due to the regulation that are placed upon terrorist financing, and the fines that a business can receive if found incompliant with these can both damage their monetary assets through legal ramifications as well as have a invoke a fairly high reputation risk which can siphon valuable clientele away. Most of these concerns stem from the due diligence acts that were placed by Basel Committee on Bank Supervision (BCBS), which laid out the architecture for account opening and custom identification (CDD). In this research, BCBS laid out for principles that should be implemented to ensure effective KYC policies:
1) Customer Acceptance Policy (CAP)
2) Customer Identification (CI)
3) On-going monitoring of high-risk accounts (OMHA)
4) Risk Management (RM)
These are exceptionally top-level, but serve as a solid foundation by which we can begin to build a successful KYC regime in order to avoid undue circumstances that would otherwise be detrimental to an organization. However vague, these will define more detailed requirements that serve as a good foundation.
SharePoint has gone through many evolutions as a product, from an un-scalable legacy ASP application using a backend web storage system to a robust client / server application which leverages the .NET framework and MS SQL. This has clearly extended the capabilities when it comes to developing against the object model of the application, and creating industry ready applications that utilize the core SharePoint framework to implement RAD methodologies has made it the standard for company intranets.
From an architectural standpoint, SharePoint is generally viewed as a two tiered technology, implementing core features such as document granularity control and team services through Windows SharePoint Services (WSS) and using SharePoint Portal Server (SPS) as a way to aggregate this functionality into one cohesive unit.
The most beneficial aspects of SharePoint can be derived from the two key features to take into consideration when implementing a successful AML solutions, collaboration and communications. When this is firstly mentioned, most begin to conjure thoughts o building a unified messaging system, however for most larger organizations the introduction of the robustness of SharePoint alone will have high-reaching impacts. Scaling SharePoint out should be a secondary concern to building a reliable SharePoint architecture by which to develop against, and use as a sister server aggregator for other Microsoft products.
In order to get a better idea of how to form this policy management and where SharePoint is going to fit in with our deliverable, we have to note that the nature of KYC policies are all encompassing, and not targeted to the individual completely, although this may seem like an oxymoron when we examine the definition of KYC in a pure sense. However currently we are only examining the policies and not the programmatic approach that is planned in order to weave the individual in with the group. Policies instead should be targeted among groups, for each specific business instance where new policies are due. If we are using baseline regulatory requirements as our implementation purpose, this is going to vary heavily from country to country. So although we are targeting the individual in a pure KYC environment, these KYC policies at the individual rollup to the parent group, and in turn to the enterprise group which houses the more general guidelines that are defined by an arbitrary organization. This structure isn’t static because business models are static, therefore this can be broken down into further detailed groups based upon the industry, and nature of service that the organization offers. It is important to realize the significance of the global policy structure, although the child policies rollup into the parent, it is important to note that the core four aspects as stated before in turn roll down into the individual group, there stream of policy information therefore is two way. This ensures several things. Firstly, we are ensured that the overlying global policies which although are general are absolutely implemented at every branch, subsidiary, or other business unit related to the enterprise. Secondly, this allows us the flexible to adaptively define the policies that are needed in order to ensure compliancy of a business unit in relation to their specific environment, certain countries have certain laws, regulations, and legislation that may only be relevant to that specific instance. There are inherent implications that have to be implemented here as well, the organization has to ensure that its consolidated KYC policy will not hinder its ability to examine policy ramifications and the individual level, there has to be a fluid existence between the group and the individual. Whereas the specific individual level is more flexible and allows specific law definitions, group policy changes will be felt by all specific instances, therefore must be planned and implemented carefully. Individually defined policies should adhere to the purpose of the group, but the group need not adhere to the individual, ergo individual laws will have to conform to group standards regardless of environment. In this sense there must be careful planning when defining the enterprise group policy.
This approach is often called consolidated KYC, or consolidated risk management and is heavily used within the financial industry, but could and should be ported to other business communities. The reason being is the granularity that is offered by using this approach, we have three levels of examination, the individual, the group, and the enterprise. This should begin to sound reminiscent of the software package in the current argument, SharePoint Products and Technologies. This is the first benefit that we see when implementing SharePoint for effective KYC policies, currently there are three tiers of organizational KYC implementation, and these are currently orphaned from eachother without lines of communication. SharePoint instigation can easily fill this gap by providing a solution to establish a means of collaboration and communication in order to weave the groups into a cohesive unit that builds the most effective solution. It is incredibly important to have a centralized system by which to pass this information from unit to unit, and this is the core benefit that SharePoint provides. Ultimately, the move to a Unified Messaging System will provide the most beneficial KYC network, and SharePoint makes an excellent backbone by which to extend the framework to encompass this type of development. Based on desired network architecture, SharePoint can effectively add-on unified messaging components that are inherently beneficial to our goal, such as Live Communications Server in order to facilitate the most effective online communication and archiving of that communication.
KYC policies should not be generated thin, meaning making an organization compliant “enough” typically is an implementation that is doomed to fail, and have higher maintenance costs in order to constantly adapt to created legislation. Instead, the policies should be detailed and focus on mitigating the following risks:
The last of these if by far the most important out of the given set as it just doesn’t incur hurtful penalties and impair operational efficiency, but can completely decimate a business as a whole. Going back to the group policies argument, it is necessary to branch out KYC policies to three main categories, therefore, these risks need not only be mitigated at the enterprise level, but also mitigated at the region level, state level, or however company organizational drilldown is performed.
There is going to be a channel of information that is following between all of these relevant business levels, and the most important of which is the customer data which has several legal ramification tagged with it concerning privacy and inherent data transfer laws. SharePoint can help fill a gap in this situation as well, allowing an organization to build robust security policies that can directly target the end-user instead of having to defining complex ACL (Access Control Lists) as they exist in legacy application. Instead, the security from the application standpoint of SharePoint is industry standard, and we can take access rights in relation to information to a very granular level. Examining your organizational hierarchy it should be quite evident what users should have what information in order for them to do their jobs most efficiently and with as little technological impairment as possible. Leveraging SharePoint audiences will ensure that sensitive information regarding clientele is kept in strict confidence, only those which are previously defined in the audience policy will be able to view this information. This is also an extendable hierarchy, and we can take the backend SQL database that is serving the actual content and encrypt it at the column level, ensuring that our client information is kept in the highest respect. This has several inherent benefits, mainly we are ensured that from point of data origination in the backend SQL database or SQL cluster as your implementation deems that this information is kept secure will residing, and when being viewed is only targeted to those who directly require access to the information in order to successfully complete their business tasks.
Although SharePoint is going to create the key communications and collaboration network in order to glue the disparate data in our network together, there are several ramifications provided that will also aid in our group policy management. Management of the policies, including duty assignment and controls will be assigned from the enterprise level. Large policy management such as this requires a robust environment to share information, assign tasks, manage duties, and in general create a team environment by which to harvest and apply data that increases the usability and effectiveness of the policies. SharePoint has several methods that will aid in an organization striving to achieve this, on multiple levels. Using SharePoint we can define and share the policies to correctly inform all effected units with effective document control to make sure of several important factors:
1) Revisioning – Policies adapt as an organization as a whole changes and legal ramification related to the required regulations are changed and assimilated into current policy architecture. Therefore, keeping constant data repository that allows revisioning will facilitate an environment that allows back tracking ensuring that all revisions and their inherent changes can be tracked. As, if a regulation is ever rolled back, previous versions of the policy documentation can be regenerated.
2) Document Control – Often times there are entire compliance offices and branches that are dedicated to providing the documentation in instigate the respective policies. This can lead to a situation whereby multiple version can be saved to the same location, overwriting valuable work. Using SharePoint, the compliance offices can be assured that they are the only one with rights of change using the inherent check in / check out features. This allows the user to simply open a read-only copy when the document is “checked out” to another user, ensuring that there is one version that is reliable for organizational implementation.
3) Access – Leveraging the security features in SharePoint will allow you to keep the policies in an available, yet secure location viewable by audiences that you deem fit to have whatever arbitrary privileges of control over. This is a very important feature in a consolidated KYC environment, which separates the KYC policy at different levels. Ensuring that your child groups have access to the enterprise KYC policy in order to successful implement the enterprise requirements as well as their own specifically defined environmental requirements is central to KYC policy success.
4) Backup – Disaster recovery is a concern of any business regardless of industry, a business must plan to take into account all concerns, however ridiculous some of this planned situations may be. SharePoint has inherent backup and restore utilities that allow you to back up the entire client / server application utilizing a manifest XML file in order to recreate the portal, simply by pointing to the file, and the utility handles the rest. This can even be programmatically controlled using other SharePoint related tools to automate the process so that a firm can be assured that their valuable business data is always shadowed by a reliable copy.
5) Presence – Using SharePoint, an organization can eliminate the hectic dilemma that happens during normal day to day process by establishing presence. Presence will allow you to see what users are online, and the methods that are at your disposal by which you can contact the user. This is especially important when you are implementing the revision control methods, which can become locked when checked out. Using the SharePoint presence technology however, if you need to make changes to your KYC policy immediately and a document is checked out by another party, you can instantly communicate with them via messenger, email, or other methods to remedy the situation.
6) Workflow – KYC policies can imply far reaching changes within a company, and therefore victim of requiring several types of approval routing. SharePoint procures an excellent framework by which to architect an objects workflow, even allowing it to be extended to either serial or parallel routes. This is a vital portion to the management of every KYC implementation, normally this process can involve lengthy hours of paper management, however correctly architecting the workflow solution can help this process be automated so the time for document to deliverable is abridged considerably.
7) Document Management – It is fairly common for data regarding your KYC implementation to become disaprete from the data system, especially when there are parties of people working on different portions. Normal branch compliance offices will often have there departments charged with this responsibility to be composed of several subject matter experts, requiring a team environment that offers document management and retrievel that is easy to use. SharePoint will expose these documents to who needs it, and offers very robust controls over the documentation from a variety of interfaces. It is similar to a file share across any standard Microsoft Server System network, so users will have a speedy adoption rate of the technology increasing your realized ROI.
8) Microsoft Office Integration – Microsoft office seamlessly integrates with SharePoint allow direct links to be established for speedy data transmission from the web application into your local programs. The benefits of this are numerous, however the most evident out of the set is that employees will have an immediate environment that they are familiar and comfortable to work with. More likely than not you will not have to facilitate in-depth training sessions to bring employees up to speed on the new technology, and they can continue to work with a tools that they have always used for their job role.
9) Scalability – Organizations grow, incorporate more data, and need ways to expand there business systems environment to componesate for the growth. SharePoint has a brilliant architecture that will allow you to design a network tailored to how you want to scale out, it can either by on single web server, or can involve complex farms spreading system intensive processes onto other servers. As well, it has flexible database options from implementing MSDE to a backend SQL cluster.