In Part One, we established why the CBN’s new Baseline Standards for Automated AML Solutions rank among the world’s best. Here, we examine the risks those Standards create and the hard governance work that genuine compliance requires.
A regulatory framework is only as valuable as the quality of its implementation.
The CBN has been explicit on this point from the opening pages of its new Baseline Standards – they are designed to ensure “demonstrable effectiveness and not merely feature-based compliance or vendor-driven implementation”.
That phrase is both an aspiration and a warning. It tells institutions precisely what the CBN will be looking for when it examines compliance and what will not satisfy it.
What follows is an analysis of the ten most significant risks embedded in the new framework, explained in terms that non-technical readers can follow, with the supporting detail and specific Standards references that Compliance Officers and Risk Managers need to act on.
This risk is different in kind from the others. Section 7 of the Standards ties sanctions to named accountable individuals (Executives and, in certain circumstances, Board Members) where AML controls are found to be ineffective. The Standards’ requirement for a documented governance framework with named individual accountability for system ownership, configuration, model validation, change management, access rights and incident handling (§5.9b.i) means that accountability must be specific and named.
For Boards, this creates a direct governance obligation that goes beyond approving a policy document and receiving quarterly updates. It extends to interrogating the evidence behind management’s assurances – understanding what the last independent validation actually found, what the false positive rate is and whether automated closure thresholds have been breached.
What institutions must do – Map accountability for every significant aspect of AML system governance to named individuals before the roadmap is submitted. Boards must exercise substantive oversight requiring evidence, not accepting assertions and understanding what the institution’s compliance posture actually is, not merely what management reports say about it.
