Data Retention Challenges During an AML System Migration

September 19, 2019 by Gokul Kallambunathil, Michael Zeng

Today, many financial institutions are changing the anti-money laundering (AML) technology platform they use to perform required compliance processes, such as transaction monitoring and sanctions screening for various reasons:

  • Changing business requirements – As an institution’s business grows, so does the need for more sophisticated systems with better detection technology, enhanced workflow, audit trails, security, etc. The existing software may not be able to keep up with evolution in the organization’s business model or plans for growth.
  • Mergers and acquisitions – When organizations combine, compliance processes must be combined too. If both organizations use different platforms, one platform must be chosen, and all processes and previous data migrated to it. Alternatively, both organizations may move to a new, third AML solution.
  • Rationalization of AML systems – Over time, firms can find themselves running their AML program using multiple un-integrated systems simultaneously. Migrating to a new AML platform, or consolidating processes onto an existing platform, can make AML compliance checks seamless, improving efficiency and effectiveness.
  • Regulatory requirements – Sometimes old AML technology cannot meet new expectations by regulators, forcing the organization to upgrade or choose a new platform.
  • Obsolete systems – Over time, product limitations and the ability of the product vendor to keep up with changing requirements may force an institution to look for alternatives. The discipline of AML compliance has evolved significantly, and so these systems may lack the sophistication needed to perform today’s core tasks efficiently.
  • Shift in industry trends - Shifts in industry trends may force providers to make significant changes to their legacy systems. These changes may not serve the needs of the financial institution forcing them to consider other solutions.

The decision to implement a new technology solution for AML compliance processes should be driven by the organization’s needs. However, once the process has started, there are important considerations around data migration that must be managed correctly.

Understanding Data Retention Needs

Replacing an AML technology platform comes with a host of challenges for firms, most importantly, the retention of legacy AML transaction monitoring and sanctions screening data. Financial institutions are required to retain the information contained in an old system for several reasons, including subpoenas, compliance with data retention policies, and regulatory investigations or lookbacks. In addition, the U.S. Bank Secret Act (BSA) states that most records need to be retained for at least five years, and records related to the identity of a bank customer must be maintained for five years after an account is closed.

Previous AML transaction monitoring and sanctions screening solutions contain a tremendous amount of historical data. Data that needs to be held usually includes alert and case information, customer transaction and other static data, and historical information created by AML analysts and investigators about the rationale for the decisions they have taken about closing or escalating the alerts they have examined. It also includes configuration information, such as rule thresholds that were in place at the time the analysts and investigators were using the system. These thresholds are integral to understand the logic the solution used to trigger alerts and important if the firm needs to test that logic or talk with regulators about their AML program.

When migrating systems, financial institutions need to not only ensure the proper data is retained, but also that records can be accessed in a reasonable period of time, which means the method of archiving them is also important. Historical information is often crucial in time-sensitive situations such as subpoenas in court cases or regulatory examinations.

Common Data Retention Assumptions

Data retention should be discussed early on in any AML system migration project. However, many financial institutions fail to plan properly for this crucial element of the project. Keeping a copy of the data may work over the immediate short-term, but it is not feasible over the medium or long-term for the following reasons:

  • Licenses – Financial institutions must retain the licenses for and continue upgrading the old software to maintain access to the old data. This is resource-intensive and costly when the firm has already migrated to a new platform. Expired software licenses, however, can prevent access to the data.
  • Unsupported databases – Obsolete versions may not be supported by database vendors over a long period of time. Financial Institutions might have to resource upgrades or face IT challenges to maintain the database of old information.
  • Obsolete server technology – Servers may not be able to be supported by continuous updated server technology such as Windows server versions, Microsoft Net framework, Java versions, and even browser versions. Again, the financial institution would have to resource upgrades, this time in physical IT infrastructure
  • IT team skills – In theory, if a firm has a strong IT team that understands the database structure and all the nuances of the application, the institution can maintain database upgrades, however, most IT teams do not have the resources necessary for this approach.

It is very important that financial institutions engaged in moving to a new AML transaction monitoring or sanctions screening solution engage early with the challenges posed by data retention and work to migrate the date over to the new platform.

How ACA Telavance Can Help

There are better ways to manage data from a legacy AML transaction monitoring or sanctions screening software solution. ACA Telavance regularly works with clients to migrate historical data to a new AML compliance platform. We have four main approaches to conduct a migration:

  1. Migrate all of the data to the new system – This approach has the advantage of all data being located in one place, eliminating the need to keep and maintain the old database.
  2. Create views into legacy data – Views can be created into the old data within the new software if the new technology solution has the capability. To implement this solution, the organization needs to retain the database from the legacy system and ACA Televance can build or configure views into this database from the new system.
  3. Create a simple read-only application – A read-only application into the database can be built using simple technology that can be maintained and upgraded by IT going forward. However, this solution does not allow manipulation or analysis of data without using a separate software.
  4. Export the static data – For some firms, it might make sense to export the information it has to retain as static data. This information can include customers, accounts and transactions. Firms can also generate case reports or case exports and keep them available.

Which approach is right for your organization depends on its particular needs. To explore which of these options might be the right one for your AML transaction monitoring or sanction screening solution migration project, click here to contact us.

About the Authors

Gokul Kallambunathil is a Partner and manages key client relationships at ACA Telavance. He advises financial institutions on matters pertaining to regulatory compliance with a specialization in providing risk advisory services, BSA/AML/fraud and global sanctions consulting, and implementing regulatory compliance software solutions & products for financial institutions.

Gokul has over 25 years of progressive experience in Financial Services and Information Technology, and is a Certified Anti Money Laundering Specialist (“CAMS”). He has expertise in compliance with regulations such as the Bank Secrecy Act, USA Patriot Act, Know Your Customer (“KYC”) and Know Your Customer’s Customer (“KYCC”). He also has experience helping clients comply with regulations from the Office or Foreign Assets Control (“OFAC”).

Gokul has a Master's degree in Computer Applications (MCA) from Bharathiar University, Coimbatore, India.

Michael Zheng is a Senior Associate who assists financial institutions with meeting their regulatory requirements, including AML & OFAC model validation and model performance. Michael has experiences in BSA/AML and Sanctions Audit, Corporate Compliance Audit and Information Technology Risk Control Self-Assessment for U.S. based international financial institutions.

Prior to joining ACA Telavance, Michael worked at JP Morgan Chase as a Relationship Banker and at Bank of China as a Compliance consultant in New York City.

Michael has a Bachelor of Finance from Pace University and is a Certified Anti Money Laundering Specialist (CAMS). He also has a Series 6 license and Series 63 license.