With the expectations of regulators and community stakeholders only increasing, directors and senior management need to understand how financial crime risks are practically operating on the ground in their business.

While formal reporting to management and boards is a critical component in oversighting financial crime risk, the reality is, before a report lands on the desk of a board member, it has gone through layers of review and challenge; ultimately, it is a curated message. While this does not make it invalid, or incorrect, or not of value; it does mean that other data points should be considered.

In conducting oversight of management of financial crime risks, context matters. The expectation that one 'should have known' is increasingly the baseline. So beyond the written report, what should Board and senior executives look for? What are some of the potential "red flags"?

A number of potential indicators of financial crime issues that are not necessarily contained in formal written reporting. While none of these are definitive indicators, and the mere presence of one or more does not explicitly mean there is an underlying issue, they can provide a board or other senior stakeholders with important context to consider, and may act as early or leading indicators.

1) The response to adverse findings from external and internal (e.g. internal audit) reports into financial crime

Almost all reviews of financial crime functions will have findings, often of varying significance. In and of itself, findings are not a bad thing but the response to them is critical.

• Does management’s response to findings adequately demonstrate (especially to external parties such as regulators) that the organisation is treating matters as seriously as they should?
• Is the response from management timely?
• Is it challenging for management to implement?
• Do they need extra resources?

2) Slow progress on remediation of report findings

Financial crime issues can be complex and multi-faceted; solving them often stretches across the organisation and can negatively impact the customer experience.

As a result, there can a propensity for deadlines to move or deadlines are set far in the future. While this might be justified based on budget, priorities, complexity and resources, it is important for boards and senior management to understand why progress is slow and consider the message slow progress sends to the external stakeholders.

3) Abnormally high turnover in financial crime roles

Grinding away in the layers of middle management, and often the bearer of bad news and cost, risk and compliance roles can be a thankless task.

Financial crime specialists can at times feel like impediments to growth, and can sometimes be under resourced. If this leads to turnover at key roles, not just necessarily the top roles, out of sync to what the rest of the organisation experiences, then boards need to understand what is driving this.

4) Decentralised management and ownership of regulator relationships and enquiries

Especially in large or very diverse organisations, a fragmented understanding of which regulators are talking to the organisation about can lead to inconsistent responses, or notice of regulatory enquiries taking a long time to reach the board. Regulators share intelligence amongst themselves and it is important that regulatory responses represent a consistent (and accurate) view across the organisation.

5) Ignorance of regulatory enquiries or demands

Board members need to understand the nature, volume and detail of regulatory enquiries on a consistent basis. Being surprised by a regulator is potentially an indicator that adequate reporting has not flowed through.

6) Abnormal increase in whistleblower reports in a particular area or issue

Culture matters in managing any risk and a concentration of whistleblower reports in a particular area can be an indicator of cultural issues that might increase the risk of financial crime. Rather than deliberate action, this may take the form of poor training, disengaged staff or a hyper focus on operational metrics, that leads to a failure to report.

7) Focussed media enquiries or speculation

Consistent attention on an organisation, their industry or adjacent industries, is often important context for boards to consider whether there might be underlying issues they need to understand. This also applies when peer organisations are facing media coverage – given that many organisations operate in concentrated markets with people frequently moving between organisations, thinking that we are different or that this could not happen here, often gives a false confidence.

8) Minimal regular board reporting in regards to financial crime

Boards need to evidence oversight of financial crime risks and obligations. To enable this, regular and comprehensive reporting is needed – a monthly 'one liner' rarely demonstrates this. Reporting also needs to show business-as-usual (BAU) management, not just provide updates on remediation numbers.

9) Lack of clarity and robustness to governance arrangements for financial crime

Given that financial crime obligations can be complex and multi-faceted, is the governance and ownership for the component parts clearly understood? Conversely, does ownership and governance fairly link revenue to risk and cost or is the 'downside' disproportionately skewed towards compliance or support functions? Does the AML Compliance Officer have a seat at appropriate-level governance forums and have commensurate influence?

10) Over reliance on third parties for financial crimes processes

While one can outsource a function, the risk remains with the organisation. The role of third parties needs to be understood, and regularly (and rigorously) tested. Moreover, where there is a significant reliance on third parties for execution, is there enough expertise in the organisation to understand the underlying risks, and really interrogate the third parties to ensure they are doing what they are supposed to?

11) Significant timeframe since last enterprise-wide risk assessment (EWRA) (or no comprehensive EWRA) and confusion over inherent vs residual risk

A risk-based approach is at the core of how an organisation manages its financial crime risk. Risk assessments, and especially the enterprise wide money-laundering/terrorism-financing risk assessment, are a critical component of this and should flow into both the written programs and the practical operations.

• Is the risk assessment current?
• Is it comprehensive?
• Have specific AML mitigating controls been tested recently?
• Is there a clear understanding of the inherent risk (pre controls) and the residual (post-controls) risk?
• Is it realistic?
• Is it data driven?
• Is the quality of the data sufficient to enable an accurate assessment of the risks?

Formal reporting is critical but may only give part of the story. Boards and senior management need to understand the broader context for how financial crime is being managed in their organisation and consider what indicators or red flags should they also be looking out for.