Two major risks keep senior executives of financial institutions awake at night, according to Hugh Jones, chief executive of Accuity, a global payment efficiency and compliance firm: the threat of a criminal hack and a discovery of a serious breach of law or industry regulations at their firm.

While the former could be devastating for the reputation of a company, for which safeguarding of client information is crucial, the latter could more directly impact the firm’s bottom line through regulatory fines. Both would likely impact the company’s stock price and the investors’ confidence in its management.

On the one hand, financial institutions have been doing a reasonably good job at preventing data security breaches. Only one, J.P. Morgan Chase & Co, has admitted to a data breach since the beginning of 2014, and that did not include sensitive banking information. On the other hand, banks seem to be less vigilant when it comes to anti-money laundering (AML) and sanctions regulations. During the same period, three global banks, BNP Paribas, Standard Chartered and Commerzbank were fined by regulators in relation to their money-laundering activities, breach of sanctions, or non-compliance with AML regulations.

Increased regulatory pressure and more frequent enforcement appear to be changing this. Eighty-eight percent of respondents to KPMG’s 2014 Global Anti-Money Laundering Survey said that AML was a priority for senior management. The number was the highest in the survey’s 10-year history, after initially peaking at 71% in 2007, then slumping to 62% in 2011. (KPMG publishes the survey roughly every 3 years.)

The growing importance of AML compliance has been reflected in the elevation of the role of chief compliance officer in the corporate structures. “[CCOs] didn’t report directly to a senior executive five years ago,” says Jones. “Now we’re finding that CCOs report directly to COOs or, at the very least, chief legal officers.”

The threat to the bank’s reputation and its bottom line is one reason for this shift. Another is the rising cost of compliance. Respondents to the same KPMG survey say that their investment in compliance grew at an average annual rate of 13% for the previous 13 years. By now, compliance initiatives have become so costly that new spending, both in people and technology, most often requires board-level approval.

The cost is driven by ever-increasing complexity of the re-quirements on the one hand and old, inadequate technology, opaque and redundant, often manual processes on the other. In addition, regional and global players in Asia find themselves working in a fragmented regulatory landscape, of different levels of maturity, which adds another layer of complexity.

Ever-changing landscape

“AML is a never-ending battle,” says Maggie Qiu, senior manager at Accenture Finance & Risk Services in Hong Kong. “The regulatory expectations keep increasing, the criminals are getting smarter and better, and new risks keep emerging.”

“It used to be sufficient to screen only new depositors or trade finance transactions,” says Jones. “Now that’s not good enough. There’s an understanding now, that a good person can turn bad, so you have to screen the entire group of depositors periodically,” he says.

Older, less sophisticated systems tend to yield a high number of “false positives” – cases that upon closer investigation turn out to be fine. The effort that goes into those investigations, however, especially at the largest banks in Asia, with tens of millions of customers, becomes daunting.

The majority of new compliance investment goes towards implementation of more advanced screening systems, more often than not provided by specialized vendors rather than built in-house.

The external providers are best equipped to keep up with ever evolving and increasingly complex screening requirements. “It used to be fine to screen for a country we’ve placed sanctions on,” says Jones. “It’s easy to do.” That paradigm is no longer valid. “ISIS is not a geographical space – it’s a group of people and they could be all over the world,” he says. Moreover, sanctions can be lifted on a country in one sector but not in others, and that yields to further complications.

In addition to more finely-tuned screening, new technologies focus on limiting the number of false positives, for example by better handling transliteration of names written in non-Latin script. They also more handily fulfil new audit and reporting requirements, by generating in minutes reports that used to take days or weeks.

Mitigating the rising costs

“Earlier, financial institutions primarily used a decentralized way to manage risk in each country,” says Qiu. “But it can be exceptionally costly if risk is handled in silos. The trend now is to adopt a global program and standards, while still taking into consideration the country variations and special requirements.”

In addition to new, more efficient technologies, financial institutions have been adopting more sophisticated, risk-based approach to AML screening. “Rather than screening everybody equally, they risk-adjust based on the groups within the bank that they serve,” says Jones. A salary-earner with a basic checking account and a mortgage would belong to a low-risk group, while a private wealth management client with several trust accounts, who sits on a number of public boards, would represent a higher risk. The banks have been adjusting their efforts and deploying more sources to monitor higher-risk clients more frequently. “Regulators typically find it appropriate because in the long run it’s actually more secure,” says Jones.

Similar decisions are being made about screening criteria. There are 88 major lists of politically exposed persons (PEP) in the world, containing perhaps 1.5 million names. Some lists are virtually identical, and some are relevant only to certain regions or countries. As PEP screening tends to yield a high number of false positives, banks have to make judicious decisions to pare down the number of lists to screen against, choosing only those that are most relevant to their business.

Then there’s – obviously – outsourcing. Banks can save a lot of money by transferring the disposition of positive cases to lower cost areas, like India, as they have been doing with technology and other back-office processes. Some may be reluctant, however, to transfer what may turn out to be their “dirty laundry” to a third party. The laws in certain jurisdiction may also forbid transferring personal information out of the country.

New approaches to doing business and using data bring promise of further mitigating the rising costs of compliance while making the process more effective. Collaboration is one such path. Swift, the global payment co-operative, has launched the KYC Registry, which member banks can use to screen new counterparty banks. Similarly KYC Exchange Net AG, a Swiss company, has created a platform that banks can use to share KYC (know-your-customer) information among themselves.

Progress made in Asia

Although Asia is a patchwork of regulatory environments, and its countries differ in their level of compliance, significant progress is being made throughout Asia as financial centres want to improve their attractiveness. In addition to well established markets like Japan or Singapore, which lead the efforts, some frontier markets are making significant strides in this area.

Myanmar stands out, says Jones, as its institutions, eager to be embraced by the world’s financial community, rapidly embrace compliance standards. India, already a huge but still fast growing market, faced with the sheer number of new accounts and the ambiguity of frequently similar names, has been investing in cutting edge compliance systems to sort through the volume and complexity.

While the cost of compliance with regulations clearly outweighs the risks of fines, lost business and reputation for most financial institutions, some institutions nevertheless reach the opposite conclusion.

Smaller banks sometimes make what’s for them a solid business decision to save money on compliance. “Struggling with margin to begin with, they have the attitude ‘We aren’t a haven for terrorists, we know most of our customers – it can’t happen here’,” says Jones.

Another area neglected by regulators and therefore banks, is trade finance. The busy hubs of Hong Kong and China are notorious for money laundering and evasion of capital controls through misinvoicing, says Jones.

Banks that are partly state-owned are less afraid of being fined by their regulators. In those cases, “you have to rely on outside pressures to change their attitudes,” says Jones, in particular from “other banks they may want to do business with.”