One phrase says everything about anti-money laundering (AML) enforcement: Mission creep. Since 9/11, federal agencies supporting the financial war on terror have developed a number of new regulations, apparently designed either to create the perfect trap for every money-laundering scheme, or to build its power base.

Whichever it is, the burden to comply falls on financial institutions of every stripe. And not every new regulation is the fault of over-zealous bureaucrats: The fertile minds of money launderers are always finding new ways to do business, and government needs to keep up.

The real battle with money laundering is a matter of forensics, not mere compliance. At the end of the day, going after people dumb enough to use banks or money-service businesses is the anti-terror equivalent of busting street dealers: Moving real money can’t be done $9,000 at a clip, and it’s easier to get money from Miami to Bogota or Peshawar by smuggling it, taking out life policies on dying relatives, or buying a shack for $10 million, than trying to evade the ever-narrowing gaps in the established financial system.

Nevertheless, even if AML compliance is more a matter of politics than of having any real effect, it’s a serious matter. Non-compliance can mean big legal bills, a loss of reputation, and multi-million dollar fines—or even being shut down—for institutions foolish enough to give the task short shrift. And with most institutions processing thousands—if not millions—of payments daily, this task is clearly beyond any sort of manual monitoring.

The result, says Eva Weber, an Aite Group analyst, is that financial institutions must take the necessary steps to satisfy the regulators. "The size of the problem is continuing to grow, and not going away," she says. "Regulators are always saying that the focus for banks should be on preventing money laundering, and not necessarily on compliance, but of course, one can’t exist without the other, so the focus has been heightened on AML compliance."

As for the cost, expect no slack from Washington: "It’s natural for regulators to expect more from financial institutions when they know there are many tools available to them," she says. "They’re mindful of the cost, but the goal of AML compliance is, in their minds, more important than the price tag."

That being the case, those few banks still struggling with the task—and the many non-banks about to be faced with it—had better get their ducks in a row. There really is no way out of it, and any bank chairman who doubts it need only read one of the many cease-and-desist orders on the website of the Office of the Comptroller of the Currency (OCC).

Compliance means more than a software installation. AML forces change in managing a typical bank over and above computer issues. To take just one example: Almost every OCC cease-and-desist order includes a directive to train staff in AML issues, including being familiar with a written AML policy and procedures manual.

Software is unavoidable. The job is just too big. "Compliance officers are really stretched these days, because they’re the sole person responsible for complying with all those regulations, and it’s too time consuming to go through all a bank’s transactions, manually go through all the lists, and check for all the red flags," says Weber.

However, software is not good enough, and an institution that over-relies on it, and does not go to the trouble of knowing their customers—usually number one in any compliance regimen—is asking for trouble.

Consider, for instance, a wine importer who decides to hold a November nouveaux Beaujolais festival, and orders 40 cases of wine from 10 vineyards for roughly $9,000 each. That transaction would be flagged by any software package as suspicious, and generate a Suspicious Activity Report (SAR). But automatically sending it on to the Financial Crime Enforcement Network (FinCEN) would only lose you a customer, and annoy FinCEN. Appropriate procedures need to be in place to avoid a stumble like that.

"The most common reason for filing a SAR is structuring (making numerous payments just below the reporting threshold), but it’s not always people looking to avoid filing a CTR (currency transaction report). A lot of times, it’s just the nature of their business," says Weber. "It’s difficult for a larger institution, but you should know your customer pretty well, and hopefully, you’ve already spoken to them about this particular sort of incident. But you still need to investigate it."

The cumulative effect of AML implementation shouldn’t actually change the bank, she adds, as long as the bank has already been vigilant. "If you haven’t been doing this already, then this is going to hurt," she says. "Training your staff about what the red flags are and the importance of complying, and that any form that needs to be filed, is filed, is too important to ignore."

"Everything should begin with your risk assessment," she adds. "That means knowing what sort of transactions your customers execute and what sort of businesses that you’re dealing with, so even when you implement the technology, things shouldn’t change that much. You should already know what you should be looking out for."

At the end of the day, says Weber, the AML task is a chore that’s only going to grow, if only because regulators will be constantly thinking up better ways to do their job, and look better before a Congress hungry for ways to look like it’s doing its job. "The enforcers are always going to want more information, and not less," she says. (Contact: Aite Group, Eva Weber, 210-688-0123)