Bates Research | 11-27-24
Avoiding Landmines in AML Vendor Management
AML Officers face a complex landscape of potential challenges when working with vendors. Robust ongoing due diligence can help avoid potentially damaging or costly landmines.
A recent Consumer Financial Protection Bureau enforcement action serves as a reminder of the critical importance of vendor management. When a financial institution failed to properly vet both a vendor and their product, the resulting customer harm led to significant penalties.
Customer harm represents just one aspect of vendor risk management that demands consideration. AML Officers face a complex landscape of potential challenges, including vendor performance and continuity. These vendor "landmines" can detonate without warning—unless they're detected and defused through comprehensive due diligence. Through robust initial screening and ongoing monitoring of both vendors and their products, institutions can navigate these risks successfully. We’ll explore two common landmines below and provide some helpful hints on how to spot and avoid them before they become problems.
Example #1
An AML Officer had been using the same AML transaction monitoring tool for about 7 years. The tool was selected by the prior AML Officer, who had since left the institution. Due to the unique nature of the institution, the tool used was not one of the “top five,” although it was sold and supported by a vendor with an easily recognized name in the banking world. When the tool was purchased, the due diligence questionnaire didn’t ask questions about how many institutions were using the product. Subsequently, the product had to be updated by the vendor to meet a new regulatory requirement, and a plan was put in place to do so. Along with the plan came a “special invoice” for a substantial amount of money in addition to the contracted annual fee. When the AML Officer inquired with the vendor about the invoice, she learned that it was to cover the cost of the vendor updating the product. She asked why the amount of the invoice was so large, and was told it was because only 14 institutions used the product, and the vendor had to spread the cost over the 14 institutions. The AML Officer inquired of legal counsel to review the contract with the vendor, and although the contractual language noted that the product would meet regulatory requirements, it also referenced a possible upgrade fee for regulatory changes. What the institution didn’t know was how few institutions remained on the product, or how much the upgrade fee could be.
This was an expensive lesson. To minimize surprises, vendors of AML products should be asked at least annually about the current usage of the product and what the road map is. And the question should be carefully crafted to specially call out the exact product (and modules) the institution is using. If the response shows dwindling usage, the AML Officer has to worry about large upgrade fees and potential sunsetting of the product.
Example #2
An AML Officer has been using a transaction monitoring tool for six years. When the tool was purchased, the AML Officer was aware that the vendor partnered with another vendor—similar to a value-added reseller arrangement—to bring the tool to the market. The vendor seemed to know the product very well and was even able to complete a substantial customization project for the institution, to match the institution’s AML workflow. The tool wasn’t perfect, but the AML Officer maximized every ounce of functionality the tool offered and was happy with the tool.
When the contract renewal notice arrived, it indicated in red text at the top that the product would be discontinued in 12 months, and only a 12-month renewal term was available. The AML Officer called the vendor and was told the relationship between the vendor and vendor they partnered with ended, and neither would be supporting the tool beyond the 12-month mark. Upon reviewing the contract language, the only vendor requirement was to provide a 12-month notice period.
This was also an expensive lesson because it can take several years to review, select, and implement a new AML system. To minimize these surprises, require more than a 12-month vendor notice period for the sunsetting of a product. More importantly, avoid situations where your vendor is partnering with another vendor to bring the tool to market. This can’t always be avoided, but at least be aware of the risks.
Most AML Officers can’t imagine paying a huge additional fee for a regulatory upgrade or finding out their AML monitoring tool sunsets in 12 months. Robust ongoing due diligence can help avoid those landmines.
Brandi Reynolds
Chief Growth Officer and Senior Managing Director, Fintech & Banking Compliance