Scotiabank’s chief risk officer on the state of anti–money laundering

Twenty years ago, anti–money laundering (AML) was an afterthought for most banks. Today, it’s at or near the top of the executive agenda. Daniel Moore is group head and chief risk officer at Scotiabank, one of Canada’s top five banks, with 99,000 employees and more than $1 trillion in assets. Recently, McKinsey’s Erez Eizenman spoke with him in Toronto about Scotiabank’s efforts to combat financial crime. An edited transcript of their conversation follows.

McKinsey: As chief risk officer, it’s your job to stay awake at night worrying about various risks. Where does money laundering rank?

Daniel Moore: I think the biggest challenge for banks these days is strategy and brand. There’s a lot happening on various fronts: regulation, competition, data, and technology. And in a low-rate environment, margins are challenged. But our main concern is to understand our industry’s competitive advantage, embrace it, and enhance it. One such advantage is customer trust. We have that today, and we need to value it. Customer trust derives from brand. AML, which is really about ensuring responsibility in our banking capacities, is critically important to upholding the value of brand and enhancing customer trust. So getting AML right is of critical strategic importance to our bank.

McKinsey: How is the industry doing at maintaining that customer trust and managing the money-laundering risk?

Daniel Moore: The industry is on the early part of that arc. Even though banking has worked at this for years, it takes a long time to move beyond regulatory compliance and into effectiveness. That’s the journey the industry is on: discovering the abilities of data and technology to get to effective outcomes, as opposed to regulatory compliance. We see this in the headlines every day. We are still focused on regulatory compliance.

It’s critical to understand that the landscape is changing on two frontiers. One is the regulatory frontier, and the other is the environment in which we operate. We talk often about how the bad guys change how they operate every single day. And they are as sophisticated as banks, make no mistake. But the regulatory environment is also changing. Keeping pace with both effectively isn’t always easy; sometimes you need to decide which you want to pay more attention to.

McKinsey: How have you managed that at Scotiabank?

Daniel Moore: It’s always a balancing act. There’s no right answer. Knowing your regulator well, establishing a relationship, and ultimately aligning your interests are of critical importance. It’s also important to have really good governance. That’s something we’ve paid particular attention to in the last year or so. In big enterprise initiatives, it’s easy to move quickly to the tactical. And the tactical becomes disorganized. So effective governance, to make sure you’re focused on the right things at the right times, is important for an effective AML program.

McKinsey: For many banks, managing that balance means moving beyond all the manual work required in due diligence to using technology and analytics. Was that true for you?

Daniel Moore: Yes. Analytics is probably one of the most overused terms right now because it can mean so much. Analytics for AML can range from very simple, linear rules all the way to backward-propagated neural-network models. We use all of those—and everything in between—because there’s yield from each one. Part of the challenge is to make sure you’re using the appropriate tool at the right time for the appropriate outcome. Everyone wants to use the most sophisticated, complicated tool all the time. That isn’t always the most effective choice—nor the most explainable or acceptable from a regulatory perspective. But let’s be clear: for everything from name screening to transactional monitoring, we have not found any part of our AML program that hasn’t been positively and materially affected by the use of analytics.

McKinsey: What are your guidelines for applying analytics to AML?

Daniel Moore: The key observation is that, sometimes, effectiveness can derive from very simple outcomes, very simple rules, very simple filters. And it’s important to think about where and when you apply those tools. I come back to Ajay Agrawal’s paradigm of the simple economics of analytics. Analytics has made prediction very cheap, but it doesn’t mitigate the need for the kind of judgment in which people review outcomes. We can modify the filters and the funnel that go into a judgment, making it more effective. We can also enhance the tools used to make a judgment more productive. But ultimately, we still need that third level of judgment in which we look at cases and outcomes. That will remain expensive. But as prediction becomes even more widely applied and cheaper, the judgment will become more productive.

McKinsey: What are the technical challenges of setting up that kind of ideal, in which judgment sits atop machine models?

Daniel Moore: We’ve had two big challenges. One is sourcing the data. Most banks deal with multiple legacy systems holding data in many places. And producing an integrated data schema from that, where you can look at data effectively, is challenging. It’s not beyond the wit of man, but it’s a big piece of work to get right.

The other is what we refer to as the “IP [intellectual property] of AML judgment.” It is knowing what you’re solving for. Many of today’s high-profile cases would have been compliant with yesterday’s rules. So knowing about regulatory change, knowing what to look for in your systems to produce effective outcomes, is critically important. That’s an ongoing education.

McKinsey: We’d love to understand what you think about the future of analytics in AML.

Daniel Moore: The challenge is that we’re not only looking for a needle in a haystack, we’re looking for a needle in a stack of needles. And we don’t even know if we have the whole stack of needles when we’re doing it. So in the future, collaboration will be vital: across the financial-services industry, government, and law enforcement. The ability to put together our data sets and collaborate on typologies of attack—and the use of both advanced-encryption methods and analytics methods to mine the data—will enhance yields by orders of magnitude. That’s the ultimate direction. Some jurisdictions are further ahead than others. But I think all are moving in this direction. And ultimately, that comprehensive, 360-degree view will produce better outcomes for all stakeholders.

McKinsey: Let’s talk about the regulatory side of the balance you mentioned. Explaining your new uses of analytics could be a difficult conversation to have with a regulator.

Daniel Moore: Ultimately, it’s about understanding that the regulator’s objectives are aligned with our objectives. Simply put, that’s to find bad guys inside our system. We both want to achieve the same thing. So how do we enhance that alignment of interests? Communication and relationships are important in whatever jurisdiction you’re operating in—relationships with the regulator, bringing them along on the journey. In many jurisdictions, including the US, we’ve seen a shift in regulatory expectations where they are more open to a focus on the use of analytics to produce better outcomes.

McKinsey: Have you educated the regulator as you go?

Daniel Moore: It behooves us as an industry, because we are at the “coal face” of analytics, to educate the regulator. We’ve also found that the regulators are highly interested in learning and taking this journey alongside us. And that makes for effective challenge and governance on what we produce.

McKinsey: How do you think about metrics and tracking, both internally and to share with the regulator?

Daniel Moore: Like any big initiative, there are several metrics that can help, starting with production metrics in AML operations. In technology, we look at effectiveness, efficiency, and coverage metrics. We also have KPIs [key performance indicators] for a wide variety of outputs and backlogs. But ultimately, coming back to our objective, what it comes down to is risk appetite and our key risk indicators [KRIs]. Are we making progress against our risk-appetite metrics? Every form of risk, including AML, should have KRIs to assess the inherent risk, the mitigators, and the residual risk.

McKinsey: Big transformations need metrics and people to keep them on track. How critical is talent as part of that equation?

Daniel Moore: It’s probably obvious that talent is critical to the outcome. But talent isn’t just smart people. We have lots of smart people. Talent means people who have been on this journey and know the common pitfalls and can help you avoid them. The industry has been working on AML for many years now, so talent is available.

Some of those pitfalls are in data science. Historically, it’s been difficult to find data scientists. But the supply is increasing as universities and other organizations and even industry are training more people. The real challenge is finding people who understand both the data science and the business need. That’s pure gold—and rare.

McKinsey: Once you find the right people, how do you set them up to be successful?

Daniel Moore: That’s really a question of organizational alignment or culture. When a data scientist meets with a business partner, will they find engagement or resistance? And the question then is, how important is AML to an organization? Because we see AML as intrinsically linked to brand, we believe it’s of fundamental importance to the organization.

McKinsey: No matter how large your AML team grows to be, there’s always a requirement for AML to be truly owned by the front line. How do you both educate the front line and instill in them that sense of ownership?

Daniel Moore: Many organizations, and we are not immune, start big risk initiatives within the risk group. And maybe that’s an OK place to start. But you’ll never be long-term successful if the risk is not owned by the first line of defense. It’s important to create accountability, so the first line feels like it owns—and does in fact own—the risk. Governance, challenge, and oversight come from the second line.

It’s an important point that cannot be underscored enough. We need to know our customers and understand that the capacities we’ve created, which are extraordinary and highly efficient and highly tuned, are used for the betterment of society, its communities, and its individuals. We call that “good money,” and we make sure that good money is what flows over our counters every single day.

McKinsey: How has that concept resonated in your bank?

Daniel Moore: If you asked me ten years ago, when I was in wholesale banking, whether I would be excited about being involved in AML, the answer would have been a resounding “no.” It was a paper exercise. It was a compliance exercise. But when you shift your perspective and realize that every bank today is faced with people who want to exploit it to conduct criminal enterprises, terrorism, human trafficking, you know that’s not the sort of bank—or the sort of industry—that you want to be part of. When you make it real in that way, people wake up and realize, “We are not going to walk by that standard.” Because the standard that you walk by is a standard that you accept.

The real challenge is finding people who understand both the data science and the business need. That’s pure gold—and rare.

McKinsey: That’s a compelling change story. Our research shows that the number-one reason a transformation fails is that the top leadership team doesn’t offer a convincing story of why change is needed.1Why transformations fail: A conversation with Seth Goldstrom,” February 2019. How important has that story been for Scotiabank?

Daniel Moore: The board, the CEO, the operating committee—they are all highly engaged on our AML journey and understand its importance to the bank, why it matters for us to be responsible bankers, and why it matters to the commercial enterprise.

McKinsey: What did you do to ensure that everyone in the bank heard that tone from the top?

Daniel Moore: There’s no one silver bullet. It’s like any other cultural change. It will take time. And it requires a variety of modalities to get it right: regular memoranda, emails, frequent mentions in town halls. Any forum where you can mention at least seven times the importance of what you’re after will bring that message home. We made some powerful videos that resonated throughout the organization. We brought in victims of human trafficking to speak to our bankers to help them understand what this means and how this is happening in our own backyard. Human trafficking is the fastest-growing form of crime in AML today. It’s a real tragedy in the cities in which we operate. It’s a stark message. But once you get it out there, people really lean into the outcome.

The communications make it real, moving it off the piece of paper with the checklist and into the “why” of what we’re doing. That’s true also of the regulatory direction in which we’re heading and the way we operate inside the bank. Simon Sinek talks about starting with “why.” That’s the core of what we do. And landing that is of critical importance.

McKinsey: What role does the board play in this?

Daniel Moore: AML is a significant expenditure of calories. It takes a lot of investment to get it right. You absolutely need the board’s high-level engagement, as we’ve had, to make sure you’re focused on getting it right and that you have the resources available to deploy against that outcome.

McKinsey: Do you view AML as a source of competitive advantage?

Daniel Moore: Yes. An effective AML program will be a competitive advantage, not simply because of what it does to enhance the brand and build trust, but also because it allows you to do what you do more effectively. The consequences of getting it wrong are vast. A bank that falls down on AML might lose 20,000 commercial customers in a month. That’s because environmental, social, and governance issues matter more today than ever.

But the core of AML is relationships: knowing your customers better and being able to take smart risks of every kind when the bank underwrites a customer. Banks have a charter and a mandate in the communities and societies in which they operate to create capital for those that will put it to responsible uses.

Understanding our customers better, a better ability to rate risks, and intelligence about where we’re deploying our capital will allow the industry to responsibly deploy capital with those that need it, which is valuable to the communities in which we operate and to the banks that are able to operate safely in those jurisdictions. That’s what we’re working on.

Explore a career with us