How Fintech is helping overcome anti money laundering challenges
5 January 2019, by Bachir El Nakib
2016 marked the beginning of a détente between banks and financial technology (fintech) firms. After years of adversarial jockeying, banks and fintechs have determined they are better allies than rivals.
Banks that once feared fintech would replace them have come to appreciate fintechs as valued partners capable of fast innovation. Fintechs are likewise realising they can leverage banks’ established infrastructures to scale and reduce customer acquisition costs. These complementary strengths have prompted banks to partner with, and acquire, fintech firms.
This article highlights three regulatory focus areas for banks as part of the diligence process in a fintech partnership or acquisition.
Elevated AML risks too
In addition to fostering the criminal activity outlined above, the anonymity, liquidity, and borderless nature of cryptocurrencies makes them attractive to potential money launderers.
− Placement: The ability to rapidly open anonymous cryptocurrency accounts provides a low-risk means for criminal groups to convert and consolidate illicit cash.
− Layering: Cryptocurrency provides an ideal means to transit illicit proceeds across borders. Unregistered ICOs also provide opportunities for large scale layering. If the money launderers also control the ICO, then they can use a fraudulent “capital raising” to convert their cryptodenominated illicit proceeds back into fiat currency.
− Integration: The growing list of goods accepted for purchase with cryptocurrencies expands integration opportunities. The willingness of ICOs to trade crypto-for-crypto could also lead to criminal enterprises taking large stakes in cryptobusinesses, with or without the awareness of those businesses.
− Terrorism financing and sanctions evasion: The same anonymity and ease of creation makes cryptoaccounts ideal for persons to receive payments that might otherwise trigger terrorism financing or sanctions red flags. Although the use of cryptocurrencies is not yet widespread in terrorism financing, terrorist groups have been experimenting with cryptocurrencies since 2014 and Bitcoin has been raised for such groups through social media fundraising campaigns.6 States targeted by sanctions have also taken an interest in creating their own statesponsored cryptocurrency, with Venezuela debuting such a coin in February 2018.7
Assessing and managing risks of customers dealing in cryptocurrency
Special AML considerations arise when the customer of an FI is itself a cryptocurrency business. VCE or wallet services may themselves be classified as AMLobligated entities, depending on the jurisdiction(s) in which they offer services. A currency administrator, such as the issuer of an ICO, may also be subject to AML obligations, and all three business types may be subject to other financial services licensing or registration regimes. We outline some of these issues below.
(a) Crypto-business customers that are financial institutions
FIs may be required to conduct additional diligence when onboarding and monitoring crypto-business customers that are themselves FIs.
Onboarding and risk assessment for a cryptocurrency business is likely to encompass a number of questions related to the business’s compliance with applicable regulatory requirements:
− Information gathering: Does the customer’s business and compliance model permit it to collect information sufficient to perform CIP and to risk rate its own customers? Does it permit it to obtain information as to counterparties and the locations of transactions?
− Monitoring and reporting: Does the customer have mechanisms in place for account monitoring and procedures in place for required reporting?
− Geographic controls: Is the service able to control the jurisdictions in which its services are accessed?
− Legal status and licensing and registration compliance: Has the service assessed the legality of its services in all the jurisdictions in which it operates? Has it undertaken the required licensing and registration outside the U.S.?
For example, in the U.S., FinCEN guidance on servicing MSB accounts, drafted prior to the advent of cryptocurrency, remains applicable to accounts for VCEs and wallets that are MSBs.12 In addition to performing CIP, this guidance requires FIs to confirm the FinCEN registration status of the MSB (or application of an exemption); confirm compliance with state and local licensing requirements, if applicable; confirm agent status, if applicable; and conduct a basic BSA/AML risk assessment to determine the level of risk associated with the account and whether further due diligence is necessary.13 While an FI is not independently responsible for the effectiveness of its customers’ AML programs, deficiencies in any of these areas are red flags that should be considered when evaluating a customer’s particular risk level.14 Accordingly, FinCEN advises that “due diligence [of MSBs] should be commensurate with the level of risk ... identified through its risk assessment,” such that if a MSB presents “a heightened risk of money laundering or terrorist financing, [the FI] will be expected to conduct further due diligence in a manner commensurate with the heightened risk.”
(b) Other crypto-business risks
Even where an FI has assurance that the customer crypto-business is not an AML regulated entity, the FI should update policies and procedures in order to be able to account for particular money laundering risks posed by the business.
The question of geographic control warrants particular attention in the context of servicing cryptobusinesses. In addition to the risk of dealing with sanctioned persons and jurisdictions, the current absence of uniformity in the treatment of cryptocurrency activities in particular, the differing registration requirements and the prohibition on issuance and exchange services in China creates legal risk analogous to other services that are legal in some jurisdictions but in not others, such as online gambling. The inability to control where such services are offered raises the possibility that the enterprise itself is engaging in prohibited conduct. Where such prohibition is criminal, these violations could cause the crypto-business’s earnings to be classified as illicit proceeds for the purposes of criminal AML provisions.17 Regardless of whether national law applies a strict liability approach or a knowledge/recklessness requirement to such acceptance, FIs’ compliance programs must include reasonable measures to detect and prevent such facilitation. Even where there is no risk of criminal violation, an FI providing services to a cryptobusiness should consider whether it would provide the services to a non-crypto-business whose registration status was in doubt.
Even for ICOs that do not qualify as obligated entities under relevant AML rules, FIs should carefully evaluate whether the structure of the ICO presents AML risk. An ICO should receive particular scrutiny if (i) the token sale is not capped per user, such that unlimited amounts of funds can be transferred to the ICO issuer, and (ii) the ICO intends to convert a portion of the raised funds to fiat. FIs should examine terms and conditions of an issuance to determine whether the issuer has controls in place to avoid wrongdoing.
Banks considering a Fintech partnership or acquisition should evaluate the firm’s compliance with anti money laundering (AML) laws and regulations. As a minimum, diligence must assess the adequacy of a fintech’s AML compliance programme, including its internal controls to mitigate money laundering and related financial crimes.
Diligence should target trouble areas based on the breadth and complexity of the fintech’s operations. For example, an online lender originating small business loans faces different AML considerations than a money services business, which is directly subject to AML regulation. In targeting blind spots, banks should proactively identify risks associated with foreseeable misuse of a fintech’s products and services.
The diligence process is also an opportunity for banks to define AML expectations, requirements and responsibilities for fintech firms in a partnership or acquisition. For example, a bank may require a fintech to hire specialised AML personnel, undergo audits and allow regular monitoring by the bank or an independent AML specialist.
Banks and Fintechs should use the diligence period to work together to remediate compliance gaps and prevent AML violations. Fintechs can also leverage feedback from the diligence process to calibrate their AML programmes to satisfy regulatory scrutiny and related third party risk management standards.
Cybersecurity
Banks should view cybersecurity as a separate and more involved area of the diligence process.
Unlike other firms, user data and intangible assets comprise a significant portion of a fintech’s enterprise value. Zero-day attacks and cyber breaches may lead to private lawsuits and regulatory enforcement actions. These incidents erode a fintech’s value and damage the reputation of a partner or acquirer. Therefore, banks should conduct extensive cybersecurity diligence to identify vulnerabilities and comprehensively assess a fintech’s internal policies and vendor management systems.
As a baseline, fintechs should maintain a robust cybersecurity infrastructure that requires systems testing, monitoring and incident response plans. These plans must provide for external reporting to authorities, customers and affected third parties. Banks may also consider restricting a fintech’s access to specified parts of its technology network.
During diligence, banks may consider retaining independent cybersecurity experts to better understand a fintech’s threat exposure, data management and security practices. Banks should ensure any partnership or acquisition agreement contains appropriate indemnification provisions, and tailored representations and warranties addressing cybersecurity.
Consumer protection laws and regulations
Banks partnering with or acquiring fintechs must diligently assess the fintech’s compliance with consumer protection laws and regulations.
Depending on the scope and type of product or service offered, banks may evaluate an array of consumer protection laws and regulations. These laws are enforced by state attorneys general and the Consumer Financial Protection Bureau (CFPB), and range from fair lending laws to the prohibition of unfair, deceptive and abusive acts or practices (UDAAPs). The CFPB has defined UDAAPs through enforcement activity, and federal banking statutes provide little guidance as to what constitutes an “abusive” act or practice. Therefore, banks should be prepared to make certain adjustments to the value of a partnership or acquisition based on a firm’s compliance with UDAAPs.
A well-designed diligence process focused on consumer compliance can uncover regulatory issues, mitigate risk and assist banks and fintechs in appropriately valuing partnerships and acquisitions. Fintechs should be prepared to discuss the details of its internal consumer compliance policies, regulatory issues encountered and the resolution of such issues with prospective partners or acquirers.
Strategic diligence is a key component of a successful fintech partnership or acquisition. Fintechs maintaining robust AML, cybersecurity and consumer protection practices will have superior bargaining power in negotiations, and be well-positioned for a partnership or exit. When conducting diligence, banks should retain internal and external advisory teams familiar with the regulatory landscape and focus areas above
Banks broadly use a three-pronged strategy to check money laundering and fraud:
- Profiling. Banks undertake KYC (know your customer) and CDD (customer due diligence) to identify linkages, ultimate beneficial owners (UBO), establish the legitimacy of business and source of money. Some categories like PEP (politically exposed person), public figures, money services et al are then assigned a higher risk grading. This risk-based assessment (RBA) grading determines the intensity with which to monitor the respective customer account.
- Transaction monitoring of inflows and outflows in the account helps to identify anomalies. The back-end systems screen the transactions on pre-specified rules such as the spike in the value or volume of the transaction, or the counterparties the customer is dealing with. These checks are based on materiality thresholds, decided either by the bank officials or guided by regulators (for example, Reserve Bank of India stipulates monitoring of cash transactions above 10 Lakhs, or like the Bank Secrecy Act (USA) mandates transactions above $10,000 to be verified).
- Database match with negative lists of various institutions, including Interpol, OFAC, FATF, EU, ECGC, RBI et al to filter out obvious defaulters and criminals. Banks also use database screening services such as World Check or Factiva to identify any other linkage to politicians, public figures, sanctioned jurisdictions or criminals, and perform basic web or media search for any negative news.
Overall, the banks perform screening at transaction level, account level, customer level and industry/peer group level. Anomalies thrown up by all these checks are then manually verified, first by the front-end teams and subsequently by the compliance staff, to determine the veracity. Any transaction assessed as suspicious is reported to regulators through a suspicious activity report (SAR).
While this approach has evolved over time and has helped in reducing money laundering, the significant amount of manual checks and judgemental bias reduces consistency and ultimately fails to provide an effective and efficient AML system.
Challenges to AML process
The legacy systems have various shortcomings, causing numerous challenges in creating a robust AML system.
- Large number of transactions. As per Capgemini’s World Payments Report 2016, the global non-cash transaction volume in 2014 stood at 387.3 billion and estimated to be 426.3 billion in 2015. It continues to grow with increasing digital penetration in the emerging economies, and as the growth of wearables and biometric-enabled payments systems convert more and more cash transactions to digital. Put briefly, the transaction data is too huge to be screened comprehensively. It’s difficult for any large bank, with millions of transactions per day, to screen all the transactions in a short time window using a legacy system, especially when the market is increasingly demanding real-time settlement TATs (turnaround times). The alternative is to perform sample-based checks, which leads to ‘miss out’.
- Assessment based on past trends. One significant drawback of the legacy AML systems is that these are designed to monitor known behaviours based on past trends. Much of this is judgemental based on amount thresholds or spikes in transaction value and volume. The criminal minds, however, have enough incentive to work out elaborate schemes over long periods and continuously find new loopholes. Smurfing (or structuring), for example, is a common tool used by money launderers, where they deposit a small amount of money in multiple accounts over a long period of time. Since there’s an established regularity of transactions, most of them being of small value, a rule-based system may not find any anomaly for long periods.
- False positives. A major challenge with the generic rule-based systems is the large number of false positives they throw up. This is a huge productivity loss, because each match needs to be manually vetted by bank employees, requiring discrete customer interviews and EDD (enhanced due diligence) to ultimately conclude that the transaction is genuine in 99%+ cases. As the bank is screening an extensive data set and verifying it manually, such a practice may be somewhat helpful, but is cumbersome and highly inefficient.
- New payment methods. Innovation in payments has opened new avenues for money launderers. The increased penetration of mobile banking, prepaid cards and credit cards has improved the hit rate of finding gullible people for skimming, phishing attacks and identity theft. The advent of cryptocurrencies such as bitcoin poses another big challenge, and beyond the control of banks, as these are peer-to-peer, completely anonymous with no engagement of a formal banking system. The 2010 FATF report on money laundering using NPMs articulates the dangers:
- “Anonymity, high negotiability and utility of funds as well as global access to cash through ATMs are some of the major factors that can add to the attractiveness of NPMs for money launderers. Anonymity can be reached either “directly” by making use of truly anonymous products (i.e. without any customer identification) or “indirectly” by abusing personalised products (i.e. circumvention of verification measures by using fake or stolen identities, or using strawmen or nominees, and so on).”
- Skew towards structured data. Much of the statistical assessment to correlate various money laundering indicators is done based on the structured data available in the form of account statements, customer forms or external sanction or negative lists. This gives only a partial picture, as most of the structured data is conspicuous to the criminals and therefore may be stage-managed. While analysis of such data does throw up some correlation, it may be insufficient to establish causation, leading to multiple false trails and redundancies.
- Data silos. The technology landscape in a bank is typically a patchwork of varied platforms sourced from multiple vendors. In a universal bank, for example, while commercial banking may be using a specific CRM or workflow system, retail banking may have another platform linked to a core system for transaction processing and customer life cycle management, and all these may have no relation to the trading or tracking system used by the Treasury. While this creates a challenge of interoperability, the problem from an AML point of view is to integrate the data generated from each. This data integration takes time, causing a significant lag in creating a comprehensive management information system (MIS) , much after the event has already happened.
- Every bank is an island. There is limited interaction between the banks to share their AML best practices, and a launderer can always move banks in case they feel the bank is getting suspicious or asking too many questions. The information of attempted fraud or lapses does get centralised with regulators (such as the Central Fraud Registry of RBI, or the list from Financial Action Task Force (FATF), a global intergovernmental body) but is available for use only much later. A real-time entity level alert system may help plug the gaps across banks.
- Manpower dependence. Since time immemorial, there are numerous stories of money launderers conniving with bank employees to falsify or omit key details or data points that the bank systems are designed to check. As per a recent RBI report, during April-December 2016 a total of 450 employees from various public and private sector banks were found to be involved in cases of fraud totalling 3,870 cases, and with a value of Rs 17,750. Similarly, in 2014-15, BNP Paribas was found guilty by the US authorities of deliberately omitting key details in transactions pertaining to sanction countries such as Iran, Sudan and Myanmar. They were fined $8.97bn and faced a one-year suspension on USD clearing.
- Training gestation. A corollary to high manpower dependence is the difficulty in hiring resources with the right skill set. The compliance staff is not only required to understand and implement the ever-changing internal policies, but also needs to keep abreast with the ever-evolving regulatory guidelines. Banks must ensure staff is trained regularly to build required internal expertise. These trainings are, however, not limited to compliance teams alone. The front-end relationship managers, service managers, tellers et al act as the first line of defence against money laundering and need to be sensitised and updated regularly. This implies long training gestations and ever-increasing budgets.
While challenges abound and complexity continues to increase, thankfully the technology advancement in the last decade is empowering banks with new tools to tackle the menace.
Ability to process large data on the fly. With the advancement in computing ability, storage capacity and big data analytics, large transaction sets can now be screened in real-time and in a cost-effective manner. As per the reports, the new age chips have reached a level of processing 1.78 trillion instructions per second. This is handy considering banks have a small window to provide go/no-go authorisation even as more and more transactions are now required to be processed in real-time. Even the post facto analysis of historical data can be done much faster and with multiple variables in a much larger data set. Banks need not be restricted by sample-based checks.
Better data visualisation. The biggest spin-off of the advancement in analytics is the improvement in data visualisation tools. With the advanced graphical representations, the compliance teams and senior management can see comprehensive dashboards derived from a large amount of transaction data. These tools not only improve visualisation and easy identification of patterns, they are also interactive and enable deeper data mining and querying capabilities. This helps identify interlinkages between accounts, which were otherwise hidden under layers of multiple entities and simply overwhelmed the system.
Predictive modelling. The advancement in statistical modelling tools is helping banks proactively identify problem areas. The clustering techniques bring the capability to easily modulate multidimensional data. For example, proximity analysis may indicate that seemingly unrelated entities in the same locality may really be a case of layering. Using such tools, banks can red-flag geographical, demographic or transactional clusters. As machine learning improves, response times reduce and the system becomes increasingly better as more data is fed in. With further advancement in neural networks and artificial intelligence, these AML systems will go beyond anomaly identification and acquire the ability to accurately judge the probability of the transaction being genuine or fraudulent/laundering.
Unstructured data assessment and behavioural profiling. The negative fallout of the growth of the internet has been the loss of privacy. Every time you’re on the web, you leave a trace. This is true even for the criminals who use the web as a tool and create various facades to layer their organisations, linkages and assets. A variety of tools are now available to analyse social media and web feeds, perform text analytics or assess call centre records. These off-the-record inputs help build a behavioural profile of the customer and bring better predictability to AML systems.
Development of regtech and edutech. In 2016, JP Morgan spent around $325m in training and development. While there are no clear estimates, it’s safe to assume that a push on compliance has increased the training costs significantly as a large part of the workforce is required to be trained on internal and external policy changes. However, with the increasing use of webinars and e-trainings, it’s becoming easier to disseminate the information in a cost-effective way. The availability of virtual reality (VR) tools will further make the training interactive, personalised and effective, obviating the need for classroom sessions.
The increasing legal and regulatory complexity is another challenge for the banks, and they spend a significant amount of money in consultancy and lawyer fees. With the development of regulatory bots, banks will be able to determine the legality of a transaction without waiting for days for internal and legal teams to respond. Regtech tools such as Suade, Silverfinch, Osis and many others are already aiding automation of regulatory reporting while simultaneously reducing costs and improving accuracy. These may ultimately become a bridge between regulators and banks to deal in real-time.
Blockchain and smart contracts. Beyond bitcoin, one of the important use cases of blockchain is its ability to tamper-proof documentation and contracts. It’s already being experimented with Ripple, Ethereum and other such platforms offering blockchain-based KYC and trade transaction solutions. Mixed with good AML practices, blockchain can provide a foolproof way to make identity duplication, forgery and omission nearly impossible.
The onus is still on banks
As inventor and futurist Ray Kurzweil predicts, the machines are likely to become as smart as a human brain by 2020. The fears of evil AI taking over the world may make you even more paranoid, yet the dangers posed by humans to humans is no less worrying. It seems for the AML cause, technology will benefit us more than the unforeseen dangers it poses, by helping build robust AML processes and making life a bit difficult for criminals. Though some of the development is still nascent and may take some time before becoming mainstream, but clearly the onus is on banks.
I’m hopeful that 2019-20 will see a change, with more banks adopting new age tools and investing in innovation to bring more technology in anti money laundering efforts, instead of blindly hiring more compliance staff.
Footnotes
1) https://banknxt.com/60329/technology-anti-money-laundering/,
2)http://www.allenovery.com/publications/en-gb/lrrfs/cross-border/Pages/Cryptocurrency-AML-risk-considerations.aspx