Timeframes and Tactics: Rethinking AML and Fraud Alert Workflows

One conversation that seems to occur at every FinCrime conference is the one about whether AML and Fraud departments should be combined. When we’re a part of these conversations we always pose the question: “Do you work the AML and fraud alerts differently, and if not, should you be?  And does the answer to this question help determine whether the functions are combined or not?” That usually leads to some lively conversation and debate.

What’s not up for debate is whether the timeframe for completing AML investigations versus fraud investigations differs. AML investigations have a regulatory timeframe that helps to define the pace at which AML alerts are analyzed, investigated, and decisioned. The timing for the analysis and investigation phase isn’t necessarily prescribed by any regulator, but we’re aware of the requirement to file a SAR (or document a no-SAR decision) within 30 days after activity is deemed suspicious or not. However, we also know that the timeframe for the analysis and investigation phase of an AML alert has to be reasonable. Most institutions move from AML to the SAR or no-SAR decision in 60 to 70 days or so.

The Operational Nature of Fraud Alerts

Fraud alerts are different. To the extent a fraud alert can result in a SAR, the 30-day requirement to move to a SAR or no-SAR decision remains. But the pace at which one moves through the analysis and investigation phase is likely much quicker. To understand why this is, we have to review the nature of most fraud alerts.

A fraud alert can be an invitation to:

1. Intervene on fraud that is currently taking place.
2. Assist a customer who has just been defrauded or scammed, knowing that time is of the essence regarding remediation.
3. Move against a bad actor, customer or otherwise, who has just defrauded or scammed the institution.
4. Prevent fraud from taking place against a customer, or
5. Prevent fraud from taking place against the institution.

These four actions—intervene, assist, move, and prevent—are pressing and require a quick turnaround from an operational perspective in order to mitigate bad-actor activity. If activity is suspicious, the SAR is filed, and filed timely, but the purpose of the fraud alert is to review it and act quickly. They are typically worked much faster and with a slightly different purpose than AML alerts.

To support this, consider how most examiners review internal referrals of potentially suspicious activity. Assume a call center employee refers potentially suspicious activity about an account takeover to the FinCrime department.  Examiners won’t be expecting the department to take 30 days to analyze the alert in order to bump it to a case, another 30 days to investigate the case, and then another 30 days to file the SAR. That timeline would likely result in some type of finding or MRA. We’ve heard of instances where examiners expect that type of referral to move from alert to case to SAR within 45 days or so. Keep in mind, though, that these expectations aren’t necessarily supported by any written guidance.

Implications for Combined FinCrime Departments

If the AML and Fraud departments are combined, will the combined FinCrime department have the appropriate procedures in place to expedite fraud-related referrals and other fraud-related alerts?

Aside from examiner expectations, though, fraud-related referrals and alerts have that operational aspect to them mentioned above. Those actions (intervene, assist, move, prevent) require staff to do them. They require staff to act. This means the combined FinCrime department will likely have some type of protocol to notify or “ring the bell,” so to speak, to let first-line staff know that an account has to be closed, or protected, or have internet access blocked, or have transactions backed out, or some other action. This doesn’t sound like something an AML department would do. Staff don’t normally notify anyone in the institution when they’re working an AML alert, and often they can’t, due to confidentiality reasons. But when AML and fraud alerts are worked by a combined FinCrime department, procedures have to be in place to notify others of a potential fraud taking place (or recently took place) so actions can take place to mitigate bad-actor activity.

Key Takeaways and Structural Considerations

When having these conversations about whether institutions work their fraud alerts differently from AML alerts, the answer is usually “yes, we do work them differently.”  And that leads to conclusions as follows:

1. Have a combined department, but different procedures for working fraud alerts.
2. Have two totally separate departments, with the fraud department providing details to the AML department for SAR filing.
3. Have two totally separate departments, each filing their own SARs.

There is no correct configuration for the departments, but there doesn’t seem to be any doubt that fraud alerts are worked differently, with a different purpose and within a different timeframe.

Bates Group offers comprehensive advisory services to a wide range of financial institutions, MSBs, and Fintechs. We provide AML and FinCrime compliance support, including Independent Reviews and Risk Assessments, Technology and Systems Reviews, and Custom Compliance Training.