On June 8, 2021, the German Federal Financial Supervisory Authority (BaFin) concretised the legal obligations for obliged entities pursuant to Section 2 (1) No. 1 of the German Anti-Money Laundering Act (GwG) with the publication of the Interpretation and Application Guidelines (AuA) for credit institutions. As already outlined in the blog post by my colleague Uwe Weber, item 1 of the AuA BT (special section) imposed on credit institutions that the origin of funds in cash transactions must be clarified and the associated verification and documentation obligations must be applied by August 8, 2021.

My blog post deals with item 6 of the AuA BT. Here, BaFin specifies the appropriateness of the data processing systems (DP systems) used:

Selection, Nature, Suitability:

The credit institution must ensure that the data processing system used

1. can be flexibly parameterised in order to be adapted to the business activities of the credit institution and can be updated at any time if new or changed findings from the institution-specific risk analysis are available.

2. principally enables the credit institution to identify transaction patterns, anomalies, and deviations.

3. contains an indication model that enables individual configuration, taking into account the relevant typologies in the area of money laundering, counterterrorism, and other criminal acts as well as the current publications of the FIU.

4. maps not only customer and product risks but also country risks and risks of terrorist financing.

5. allows indications to be parameterised with regard to the prevention of money laundering, the financing of terrorism, and - where necessary - the prevention of other criminal acts.

6. adequately covers the increased risks as defined in Section 15 (3) GwG.

7. allows names to be checked for similarities using fuzzy logic as part of the sanctions screening process.

8. supports the use and regular updating of lists that reflect the legal requirements (sanctions lists, embargo lists, PEP lists, etc.).

9. contains or is supported by evaluation and statistical functions to perform ad-hoc research and to access evaluations for regular updating and further development of the risk analysis.

10. is capable of receiving and processing all relevant data from the relevant IT systems, i.e., primarily from the payment and transaction systems and the customer master databases of the credit institution. The topicality of the data must be guaranteed at all times.

11. is capable of mapping certain case constellations which, due to their design, do not pose any risks under money laundering law and can therefore be excluded.

12. is able to display the generated hits in full (cf. Section 6 (1) Sentence 2 GwG).

13. particularly in the case of IT-based decisions, shows the main influencing factors for each hit generated and plausibly presents the occurrence of the hit result (prohibition of "black boxes").

14. can mark missing data and work with "default" values until they are corrected. In concrete terms, this means that if risk-relevant data is missing, a risk-increasing default value must always be assumed.

15. can also include historical data.

It is permissible to use different systems for different tasks (e.g. monitoring, screening). The decisive factor is that the systems used cover the above-mentioned aspects in their entirety.

All in all, these are not new or previously disregarded factors, but BaFin has hereby concretised the previously vague definitions and created more clarity. Overall, it becomes clear that when a new system is introduced, the market must be analyzed intensively to ensure that all aspects of appropriateness are sufficiently taken into account when selecting the system. The area of money laundering prevention plays a special role in this context because, in addition to the purely technical components, the specialized components in particular are decisive for the selection of a suitable system.

In addition to the quality and efficiency of the DP systems used, the quality of the data and information also plays a decisive role in the evaluation of the overall system. The higher the quality of the data in the source systems, the higher the quality of the outputs from a DP system, the so-called information quality, and thus the functionality of the system.

Data Quality:

To measure data quality, the following criteria are typically used:

- correctness,
- completeness,
- reliability,
- accuracy,
- uniformity,
- uniqueness,
- relevance,
- consistency and
- topicality.

Functionality:

The functionality of a DP system is given if

1. the accuracy and topicality of the indications, rules, thresholds, scores, and risk classification systems are checked regularly and on an ad-hoc basis, with particular regard to all relevant legal changes, regulatory requirements, warnings, and information.
2. significant changes in the institution's risk analysis are taken into account in the calibration of the system.
3. regular professional maintenance, overhaul, and - if necessary - technical upgrading of the hardware of the DP system are carried out to guarantee its functionality.
4. the smooth cooperation of the individual components and their interfaces to the DP systems is ensured at all times ("end-to-end"). The credit institution shall continuously verify the proper functionality of the DP systems and regularly ensure a quality control of the DP systems by an independent auditor.
5. the credit institution takes into account the event of a malfunction or failure of the DP system in the contingency plan pursuant to AT 7.3 of MaRisk (Minimum Requirements for Risk Management.
6. changes to the legal requirements regarding the use of DP systems and their subject of regulation are implemented without delay after they come into force.

These requirements are not entirely new, but they do specify the need for the business and technical areas to work closely together in order to guarantee functionality. It becomes clear that, in addition to the credit institutions, the providers of such IT solutions also have a responsibility to ensure that their systems are regularly updated in order to reflect changing or new requirements.

Just as the quality of data and information mentioned above contributes to the effective and efficient use of DP systems, a proper mapping of the data supplied from the source systems to the database fields of the DP system is part of the basis for full functionality. When selecting the DP system, it must be guaranteed that the DP system is designed to include the required data in the database in a sustainable (re-generable) manner. The requirements for the mapping of a DP system in the area of money laundering and terrorist financing prevention are very high as it is not sufficient to simply store the data. Instead, the data must be recognizable and reproducible within the legal deadlines, even if the content of the data field changes, but it must not be possible to manipulate it. Ideally, the DP system is capable of naming the data fields according to the designations from the source systems.

Documentation:

The DP system must allow all adjustments to the parameters (settings, indications, authorizations) as well as all hits generated together with hit documentation and, if applicable, suspicious activity reports pursuant to Section 8 GwG to be documented and archived in such a way that a knowledgeable third party can reconstruct these processes within a reasonable period of time.

It must be taken into account that

1. generated hits must be documented in such a way that the hit analysis and the resulting findings are recognizable and comprehensible.
2. responsibilities are identifiable at all times.
3. sufficient justification is provided which conclusively demonstrates the regularity and legality of the change.

The documentation requirements are therefore now specified for the first time and also clearly described in terms of scope. Whereas previously these were merely general documentation requirements, they are clearer definitions now. However, there is still a margin of discretion. Particularly in connection with documentation requirements, the auditing bodies, associations, and organisations as well as auditors at banks and saving banks will probably take a closer look in the future.

A key requirement of item 6 is that the DP systems must be able to map the relevant typologies in the area of money laundering, counterterrorism, and other criminal acts as well as the indications arising from current publications of the FIU. In addition to the requirements already described for the data supplied and their usability in the DP system, this also results in requirements for documentation and auditing: all relevant facts relating to the parameterisation of the DP systems (such as rules, indications, etc.) must be taken into account in the documentation.

With regard to typologies and indications, there are a large number of documents that make it difficult to record all typologies. This is because the FATF alone has published more than 50 publications related to money laundering, terrorist financing, and proliferation in 2019 and 2020. If you add the area of other criminal acts, more than 300 typologies come together. Here, msg Rethink Compliance recommends keeping a corresponding register, including regular updates.

Management:

When assigning user rights for the DP system, it must be guaranteed that the user concerned has all the necessary professional qualifications and expertise. This applies both to the company's own employees and to external consultants.

When assigning rights, it must be ensured that it is clear which function the respective user is to perform and that only the rights relevant to this function are assigned to him. This results in the requirement that employees entrusted with the use of the DP system receive sufficient training and professional development in order to ensure transparent operation in compliance with MaRisk.

The anti-money laundering officer is responsible for this. He is responsible for the technical further development of the DP system, the modification of existing indications, rules or scenarios, thresholds and scores as well as their generation and calibration, and he must have the corresponding knowledge. The anti-money laundering officer must know the capabilities and limitations of the DP system in order to assess whether and how new requirements can be implemented. The final technical implementation can be done by specialized staff or by external service providers.

Selection of the Data Processing System:

If the criteria specified by law are met, the credit institutions are basically free to choose the DP system they wish to use. The fact that there are no system specifications underlines the statement under 6.2.6 that the market must be analyzed intensively when a new system is introduced and that not only specialist but also technical knowledge is required for this.

The conditions under which the use of a DP system can be dispensed with have now also been specified. Section 25h (2) Sentence 1 of the German Banking Act (KWG) provides for a general use of DP systems for all credit institutions, but allows BaFin to define appropriate exceptions. This has now been done under item 6.2.7 AuA BT.

A credit institution may refrain from using a DP system if there is only a small number of contracting parties/beneficial owners or transactions which can be monitored effectively without a DP system. BaFin specifies a balance sheet total of less than EUR 250 million as a benchmark.

Outsourcing abroad:

Under 6.2.8, it is specified that outsourcing to a third party with its registered office abroad is possible, but only if the third party's branch is not located in a high-risk third country.

With regard to outsourcing, it should be noted that outsourcing (domestic or foreign) does not allow the credit institution to outsource the obligation under the Anti-Money Laundering Act. The responsibility for fulfilling the security measures remains with the obliged entities. In this regard, BaFin states under 6.2.8 of the AuA BT that it must be ensured that the anti-money laundering officer has access to all hits and that he is informed immediately of relevant hits so that the time limits for submitting suspicious activity reports are met. Thus, even after outsourcing, a knowledgeable person must be present in the credit institution.

Conclusion:

Selecting the right or suitable system is not an easy task and poses problems for many institutions. The present concretization of BaFin concerning the appropriateness of DP systems can be used for the selection and is helpful for the examination of suitability. On the other aspects of a selection procedure, the methods or instruments, there is no concretization. I therefore recommend documenting the selection process and the decisions made in order to minimize the scope and possible consequences of an incorrect selection.