Chapter 32: Case Study 1 — Cornerstone's Multi-Jurisdictional AML Platform Selection

Background

Cornerstone Financial Group is a mid-sized financial institution with licensed operations in the United States (New York and Chicago), the United Kingdom (London), and the European Union (Frankfurt and Amsterdam). Its US operations are supervised by the OCC and FinCEN; its UK operations by the FCA and NCA; its EU operations by BaFin and DNB (De Nederlandsche Bank), both of which will be subject to AMLA oversight from 2026.

Cornerstone's legacy AML transaction monitoring platform — deployed twelve years earlier — has reached end-of-life. The vendor has announced it will cease support in eighteen months. The Chief Compliance Officer, Helena Park, has initiated a platform replacement project with an eighteen-month deadline.

The project was assigned to a cross-functional team: IT Procurement, Compliance, Legal, and Finance. The Finance member, acting as budget owner, proposed establishing cost as the primary selection criterion and weighting it at 60% of the evaluation score. The IT Procurement lead agreed. Three platforms were evaluated. Platform A was selected: it was the least expensive by 23% and scored highest on the weighted evaluation.

Helena was on leave during the final scoring. She returned to find the decision made.

The Compliance Review

Helena convened a compliance review of the Platform A selection the week after her return. She assigned the review to two members of her team: the UK Head of Financial Crime, James Okafor, and the EU Financial Crime Manager, Lieselotte van der Berg.

Their findings were delivered three weeks later. Helena read the report on a Friday afternoon and sent a single message to the IT Procurement lead: "We need to talk Monday."

The findings were as follows.

Finding 1: AMLA-incompatible beneficial ownership data model.

The 2024 EU AML Regulation, and the AMLA technical standards being developed for implementation from 2026, require a specific beneficial ownership data structure that includes the basis for ownership or control (direct shareholding, indirect shareholding, voting rights, other means of control), a confidence score for the data source, and linkage to the EU UBO register query API. Platform A's data model stores a beneficial owner name, percentage, and date of birth — the minimum required under AMLD4, which was superseded in 2022. It has no field for basis of control, no confidence scoring, and no UBO register integration. Lieselotte confirmed: the platform vendor's roadmap does not include AMLA compatibility until 2027 — beyond Cornerstone's compliance deadline.

Finding 2: SAR filing format incompatible with FinCEN specifications.

Platform A generates SAR output in a proprietary PDF format. FinCEN requires SAR filing via the BSA E-Filing System using the FinCEN SAR XML schema (Form 111). The Platform A output would require manual re-keying into the BSA E-Filing portal for each SAR. Cornerstone files approximately 340 SARs per year in the US. The manual re-keying process would require an estimated 0.75 FTE of additional compliance staff time annually — at a cost that eliminates a significant portion of the projected cost saving from selecting Platform A. More critically, manual re-keying introduces transcription error risk into regulatory filings.

Finding 3: UK JMLSG enhanced due diligence triggers not configurable.

The JMLSG Guidance — Part I, Chapter 5 — specifies EDD trigger categories that are UK-specific: certain business types, certain geographic risk indicators, and certain relationship characteristics that require enhanced due diligence under the MLR 2017. Platform A's EDD module uses a fixed trigger list that cannot be modified by the compliance team. The trigger list reflects the vendor's US regulatory template and does not include several UK-specific triggers. James identified three JMLSG-specified triggers that were absent from the Platform A configuration and could not be added without a bespoke development contract, which the vendor priced at £180,000.

The Remediation Decision

Helena presented the findings to the Executive Committee. The options were:

Option A: Accept Platform A with remediation. Proceed with Platform A implementation; commission the £180,000 bespoke JMLSG module; allocate the 0.75 FTE for manual FinCEN SAR re-keying; and plan for EU migration to a different platform before AMLA implementation in 2026. The total cost of this approach, including remediation and eventual EU migration, exceeded the cost of Platform B (the second-ranked platform) by approximately £220,000 over the three-year period.

Option B: Re-open the platform selection and select Platform B. Platform B had scored second in the original evaluation on cost but had native FinCEN SAR XML export, a configurable EDD trigger module, and a committed Q3 2025 AMLA compatibility release. The delay to re-opening selection and re-contracting was estimated at three months — compressing the implementation timeline but remaining within the eighteen-month deadline.

The Executive Committee chose Option B. The cost difference was material, but the compliance risk of Option A — regulatory findings at FinCEN examination for SAR format issues, AMLA non-compliance, and potential EDD gaps — outweighed the savings.

The Remediation During Implementation

Platform B's implementation proceeded on the compressed timeline. Three issues arose during implementation that required specific compliance team involvement.

First, the AMLA compatibility module, while committed for Q3 2025, was released in September 2025 — mid-implementation. The compliance team had to manage a parallel-run period using the legacy platform for EU operations while Platform B's EU configuration was completed.

Second, the JMLSG trigger configuration required specific compliance expertise to set correctly. The vendor's implementation team had limited UK financial crime experience; James Okafor spent approximately three weeks of his time reviewing and validating the trigger configuration before sign-off.

Third, testing of the FinCEN SAR XML export module revealed a schema version mismatch: Platform B's export used FinCEN SAR schema v2.1, while FinCEN had moved to v2.2 in January 2025. The vendor issued a patch within two weeks, but this delayed the US go-live by three weeks.

Despite these issues, Cornerstone completed the platform migration with two months to spare on the deadline. The legacy platform was decommissioned on schedule.

The Lessons Applied

Helena Park presented a lessons-learned report to the Board Audit Committee. The report identified three root causes of the near-miss.

First, the evaluation framework weighted cost at 60% without adequate weight for regulatory compliance capability. A platform that cannot meet filing format requirements in the US, EDD configuration requirements in the UK, and beneficial ownership data model requirements in the EU is not a lower-cost option — it is a higher-cost option with a deferred cost recognition.

Second, compliance team review of the shortlisted platforms was absent from the original procurement process. The evaluation criteria had been set by IT Procurement without compliance input. Helena's absence during the final scoring removed the last potential checkpoint.

Third, jurisdiction-specific requirements were not part of the evaluation criteria. The evaluation assessed platforms on generic AML functionality without mapping that functionality against the specific requirements of each of Cornerstone's operating jurisdictions.

Helena's recommended changes: compliance veto power over technology procurement decisions with regulatory compliance implications; a mandatory jurisdictional requirements mapping exercise before any platform is shortlisted; and explicit weighting for regulatory compliance capability in all evaluation criteria.

The Board approved all three recommendations.

Discussion Questions

1. The Finance team's decision to weight cost at 60% of the evaluation score reflected a reasonable concern with budget management. What additional evaluation criteria, and what weightings, would have produced a more balanced selection outcome? How should a compliance team advocate for compliance-capable criteria without being dismissed as obstructionist?

2. Finding 1 identified that Platform A's beneficial ownership data model did not meet AMLA requirements that would not become mandatory until 2026 — after the platform selection but before the end of the likely platform lifespan. How should forward-looking regulatory requirements (those not yet in force at the time of selection) be weighted in technology procurement decisions?

3. Finding 2 identified a cost-saving platform that would require 0.75 FTE of manual SAR re-keying to operate. How should a compliance team calculate the true total cost of ownership for a platform that does not automate a regulatory filing requirement? What qualitative risks, beyond the quantifiable FTE cost, does manual re-keying introduce?

4. The UK JMLSG EDD trigger issue (Finding 3) could have been identified through a structured requirements mapping exercise before the RFP was issued to vendors. Design the structure of a multi-jurisdictional AML platform requirements document that would identify UK-specific, US-specific, and EU-specific requirements before vendor engagement.

5. Cornerstone ultimately chose Platform B after re-opening the selection, at a higher upfront cost but lower total cost over three years when remediation expenses were included. What governance mechanisms would have prevented the initial selection of Platform A, and how should those mechanisms be designed so that they add appropriate oversight without creating bureaucratic barriers to legitimate procurement decisions?