Data Retention Challenges During an AML System Migration

September 19, 2019 by ACA Compliance Group

Today, many financial institutions are changing the anti-money laundering (AML) technology platform they use to perform required compliance processes, such as transaction monitoring and sanctions screening for various reasons:

  • Changing business requirements – As an institution’s business grows, so does the need for more sophisticated systems with better detection technology, enhanced workflow, audit trails, security, etc. The existing software may not be able to keep up with evolution in the organization’s business model or plans for growth.
  • Mergers and acquisitions – When organizations combine, compliance processes must be combined too. If both organizations use different platforms, one platform must be chosen, and all processes and previous data migrated to it. Alternatively, both organizations may move to a new, third AML solution.
  • Rationalization of AML systems – Over time, firms can find themselves running their AML program using multiple un-integrated systems simultaneously. Migrating to a new AML platform, or consolidating processes onto an existing platform, can make AML compliance checks seamless, improving efficiency and effectiveness.
  • Regulatory requirements – Sometimes old AML technology cannot meet new expectations by regulators, forcing the organization to upgrade or choose a new platform.
  • Obsolete systems – Over time, product limitations and the ability of the product vendor to keep up with changing requirements may force an institution to look for alternatives. The discipline of AML compliance has evolved significantly, and so these systems may lack the sophistication needed to perform today’s core tasks efficiently.
  • Shift in industry trends - Shifts in industry trends may force providers to make significant changes to their legacy systems. These changes may not serve the needs of the financial institution forcing them to consider other solutions.

The decision to implement a new technology solution for AML compliance processes should be driven by the organization’s needs. However, once the process has started, there are important considerations around data migration that must be managed correctly.

Understanding Data Retention Needs

Replacing an AML technology platform comes with a host of challenges for firms, most importantly, the retention of legacy AML transaction monitoring and sanctions screening data. Financial institutions are required to retain the information contained in an old system for several reasons, including subpoenas, compliance with data retention policies, and regulatory investigations or lookbacks. In addition, the U.S. Bank Secret Act (BSA) states that most records need to be retained for at least five years, and records related to the identity of a bank customer must be maintained for five years after an account is closed.

Previous AML transaction monitoring and sanctions screening solutions contain a tremendous amount of historical data. Data that needs to be held usually includes alert and case information, customer transaction and other static data, and historical information created by AML analysts and investigators about the rationale for the decisions they have taken about closing or escalating the alerts they have examined. It also includes configuration information, such as rule thresholds that were in place at the time the analysts and investigators were using the system. These thresholds are integral to understand the logic the solution used to trigger alerts and important if the firm needs to test that logic or talk with regulators about their AML program.

When migrating systems, financial institutions need to not only ensure the proper data is retained, but also that records can be accessed in a reasonable period of time, which means the method of archiving them is also important. Historical information is often crucial in time-sensitive situations such as subpoenas in court cases or regulatory examinations.

Common Data Retention Assumptions

Data retention should be discussed early on in any AML system migration project. However, many financial institutions fail to plan properly for this crucial element of the project. Keeping a copy of the data may work over the immediate short-term, but it is not feasible over the medium or long-term for the following reasons:

  • Licenses – Financial institutions must retain the licenses for and continue upgrading the old software to maintain access to the old data. This is resource-intensive and costly when the firm has already migrated to a new platform. Expired software licenses, however, can prevent access to the data.
  • Unsupported databases – Obsolete versions may not be supported by database vendors over a long period of time. Financial Institutions might have to resource upgrades or face IT challenges to maintain the database of old information.
  • Obsolete server technology – Servers may not be able to be supported by continuous updated server technology such as Windows server versions, Microsoft Net framework, Java versions, and even browser versions. Again, the financial institution would have to resource upgrades, this time in physical IT infrastructure
  • IT team skills – In theory, if a firm has a strong IT team that understands the database structure and all the nuances of the application, the institution can maintain database upgrades, however, most IT teams do not have the resources necessary for this approach.

It is very important that financial institutions engaged in moving to a new AML transaction monitoring or sanctions screening solution engage early with the challenges posed by data retention and work to migrate the date over to the new platform.