Around $2 trillion is laundered every year and everyone is paying the price. Banks have huge regulatory overheads. Businesses and consumers encounter friction to open a bank account, transfer funds or instruct a lawyer. The best companies manage risk best. So, how do those in the payments industry use technology, process and people to manage their money laundering risk exposure?
Every crime that starts with money, ends with money laundering. If criminals want to profit from crime and avoid prosecution, they must find a way to disguise the origins of their ill-gotten gains. Drug smuggling, human trafficking, arms dealing, fraud: money laundering is the engine to them all. Crime simply does not pay without it – writes Joyrene Thomas, Payments Cards and Mobile.
ON THE MONEY
Both money laundering and the prevention of it are big business. Around 2-5 percent of worldwide GDP ($800 billion-$2 trillion) is laundered globally every year, according to estimates from the United Nations Office on Drugs and Crime.
Banks worldwide spend around $8 billion on anti-money laundering (AML) compliance annually, according to research firm WealthInsight. They have also spent $321 billion in fines since 2008 for regulatory failings, ranging from money laundering and terrorist financing to market manipulation, says the Boston Consulting Group.
The quantity of regulation is increasing. With around 200 revisions daily, the number of individual regulatory changes to track globally has more than tripled since 2011. Unsurprisingly, 60 percent of respondents to a Dow Jones/ACAMS (Association of Certified Anti-Money Laundering Specialists) cited increased regulatory expectations as a compliance challenge. 28 percent felt it was the main challenge.
The regulatory burden is only set to increase as the complexity and scope of regulation increases. “There is a raft of new legislation, which impacts members in a number of different ways. Some of it is mutually exclusive,” says David Pelled, CEO, MLROs.com, an industry-led forum for financial crime practitioners. For example, the right to be forgotten within GDPR is diametrically opposed to basic principles around KYC, reporting and keeping good financial crime records.
The fourth EU anti-money laundering directive (4AMLD) came into effect this summer. It broadens the scope of AML regulations to professional service firms and others. Accountants, auditors, lawyers, notaries, real-estate agents, trusts and gambling operators among others are now caught by the directive. It also includes provisions for greater customer due diligence at boarding and throughout the relationship, greater personal liability and greater information sharing.
“We are seeing a trend to prevent professionals from being seen as enablers [for money laundering],” says Alex Ktorides, partner at law firm Gordon Dadds. “That goes hand in hand with a new piece of UK legislation, the Criminal Finances Act 2017, which will place an additional burden on them when it comes to making reports.”
With regard to customer due diligence, it is harder to adopt a hands-off approach. Firms cannot automatically apply simplified due diligence (SDD) measures. They must first ascertain that the relationship or transaction presents a lower degree of risk, even when SDD in the past would have been sufficient, explains Ktorides.
DATA IS THE NEW OIL
It was Clive Humby, one half of the husband and wife team dunnhumby whose data insights powered Tesco Clubcard, who declared that “data is the new oil.” He went on to say that just like crude oil, data is valuable. But unrefined, it cannot really be used. So, if money laundering facilitates crime, is data the new oil to prevent it?
The exponential growth in the availability of data and the speed with which organisations can manipulate and use data is setting the scene. “If an organisation had all the data, time and resources it needed, it would be able to prevent all money laundering,” says Gavin Proudley, global director, due diligence, Dow Jones.
“But — and it’s a very big, start of a sentence, capital ‘B’ but — no organisation at this point in time has all the data, all the resource, and definitely all the time needed to analyse all that data,” he adds. Banks and financial institutions also come up against the familiar data science and risk management problem: incomplete data.”
“Organisations only see the activity that is associated with their card [programme]or the payment they are facilitating. That’s where organisations and communities that go across different financial institutions can really help build models, understand the activity of fraudsters and identify money laundering,” says Proudley.
For example, a customer may have no record in the market and be unable to explain where their revenue has come from. A customer may have been involved with illegal or unethical behaviour in the past. And be trying to perpetrate the same fraud in a different jurisdiction or with a different bank.
Vendors that supply sanctions, anti-corruption and negative news screening can provide background and context on customers. They can also validate information provided by customers themselves to better identify possible risk indicators.
FOLLOWING THE MONEY IS NOT ENOUGH
In the fight against money laundering, the challenge is not merely incomplete data. It is also having the right data and the right systems to analyse it.
“AML is all about knowing your customers. Many institutions have closed branches and invested in digital transformation,” says Stanley Harmsen van der Vliet, marketing manager at software company INFORM. “Without the physical contact or site visits that you had in the past, banks are now depending more on data and the quality of data.”
AML monitoring systems have also evolved over time. “First-generation systems were very much developed to detect certain scenarios using certain data. With all these new channels in place, the systems are not agile or flexible enough to adjust,” contends Harmsen van der Vliet.
Old technology and manual money laundering techniques cannot keep pace with modern money launderers. It’s time for a hard reset. Following the money is not enough, systems must now monitor behaviour and other factors – and do so in a new way.
“A client’s business may look legitimate, but when you discover that they are frequently logging into an online banking account via an IP address in a high-risk country, that is something you want to know and investigate,” explains Harmsen van der Vliet.
“I think that in the future, everything will be a data science problem,” Gavin Proudley, global director, due diligence, Dow Jones.
Money laundering is trying to make dirty money look clean. Money launderers fly under the radar and try to look like normal customers. It is all about artifice, deception and fraud. In this way, money laundering – and the detection and prevention of it – shares similarities with account take-over fraud and ‘friendly fraud’ in the card payment world.
“If you’re purely looking at normal or abnormal behaviour, there’s not such a difference between detecting fraud and detecting money laundering. The only difference is that you are looking at normal behaviour from a different point-of-view,” says Harmsen van der Vliet.
Banks and financial institutions are sometimes hampered in this regard by siloed systems. Systems related to customer on-boarding, monitoring, PEPs, sanctions screening do not interconnect. They give individual results without having a holistic view on the customer relationship.
The need for a more joined-up approach to money laundering across and between organisations is something echoed by Europol. In its recent report From Suspicion to Action, it calls for improved domestic and international cooperation.
Barriers in international and diagonal information exchange between agencies may prevent suspicious transaction reports from being fully exploited. Europol also called for public-private partnerships at an EU level and more widespread sharing of financial intelligence across crime areas beyond money laundering.
“If organisations had all the data, then they could solve it using great analytics. It feels at the moment that they lack a lot of the data to reach those conclusions in a cost-effective and timely way. So, it is a data science problem, but also a case of organisations and people collaborating,” says Proudley from Dow Jones.
“If you are using technology without a robust process and without an effective culture, then it’s a pointless process,” he continues. “The technology can accelerate and make your processes and the activities of your people more efficient, but it can’t replace a bad culture.” This speaks to the importance of both people and an effective risk management culture in the fight against money laundering.
In this regard, banks and financial institutions could look to other industries. “They could learn to be more targeted in their approach to money laundering under 4AMLD. We see from other regulated sectors that they are more confident in assessing risk and putting more emphasis on higher risk transactions or customers. Whereas what we’re seeing from banks and financial institutions is a de-risking approach,”
When leaders do not understand or feel confident in managing risk, knee-jerk reactions are common, particularly after a regulatory fine or investigation. The best companies manage risk best to maximise profitability. This often involves assuming risk according to a risk-based approach, rather than terminating it altogether by exiting the business.
Firms can also manage their risk exposure through cultivating the right culture. Enquiries into the banking collapse and failures of safeguarding for children in care have concluded that improvement does not necessarily come from more procedures and tighter compliance. Rather from addressing leadership, cultural and behavioural issues.
An organisation may have technology and processes in place to combat money laundering or other risks. Yet it is a significant problem if their people do not understand, care about or bypass processes. This may be increasingly uncommon as a result of changing culture and regulatory pressure. However, people remain as important as technology and processes in preventing money laundering, if not more so.
THE ARMS RACE CONTINUES
Money laundering is probably never going away. But what dos the future hold for money launderers and those that work to prevent it?
“For money launderers, the world is getting smaller,” says Ktorides. “The places that they can hide money and operate in the shadows is lessening.” It is becoming more difficult to find friendly jurisdictions where they can obscure ownership of companies and buy assets.
Money laundering is not just about banks and financial institutions. Regulators and governments are aware of this. There is increased appetite to prevent professional service firms from being utilised to launder money. The problem is also global not local. As such, firms should expect greater sharing of information between regulators domestically and cross-border.
Technology will help in the fight against money laundering, but it is not a panacea. And as technology is morally neutral, there is no guarantee that it will remain in the hands of the good guys.
“Whenever a new technology emerges, it still feels that the people who want to abuse that technology are first off the mark. That’s partly because banks, MNOs, card issuers are organisations that are, for the most part, built around good customers,” says Proudley. “That unfortunately means that people who want to behave badly can take advantage.” But technology is catching up and the ability of organisations to create increasingly sophisticated models, so they can identify anomalous behaviour is growing
Ktorides also feels the future for money launderers lies in the use of technology. Obscuring owners, buying assets and holding on to them for a long time will increasingly fall away. But this will be potentially replaced with cybercrime and the increased use of cryptocurrencies. As one door closes on the money launderers, so
Money laundering is a very fast-moving environment and there is going to be a lot of homogenisation, thinks Pelled. “What was once regarded as fraud as opposed to money laundering is going to be pulled in. This includes elements of cybersecurity, cybercrime and payments.”
Understanding exactly what happens, how it happens and where the holes are in the system will always be the focus of money launderers – and those trying to prevent them.
GLOSSARY OF ACRONYMS
AML/CFT — Anti-Money Laundering and Countering or Combatting the Financing of Terrorism. Money laundering is essentially the process by which criminals try to make the proceeds of crime look legal. Generally, money laundering is cleaning dirty money, while terrorist financing is taking clean money and using it for dirty purposes.
CDD — Customer Due Diligence incorporates elements of know your customer (KYC), but also knowing your customer’s business and sometimes your customer’s customers. There are three main levels of due diligence depending on an assessment of the risk posed by the customer: customer due diligence, simplified due diligence (SDD) and enhanced due diligence (EDD).
CTR – a Currency Transaction Report documents a physical currency transaction that exceeds a certain monetary threshold. A CTR can also be filed on multiple currency transactions exceeding the required reporting amount. Some countries have requirements around when CTRs should be filed with government authorities.
FATF — the Financial Action Task Force established by the G7 summit in 1989 to develop a coordinated international response to money laundering. FATF publishes and updates recommendations setting out measures that governments should adopt around effective AML.
KYC – Know Your Customer is the process by which an organisation determines the true identity of a customer and the type of activity that is expected, usual and normal for them.
MLRO — the Money Laundering Report Officer is the person responsible for receiving and analysing suspicious activity reports around money laundering made within the organisation. They implement internal policies on customer due diligence, record-keeping and staff training related to money laundering. They also have external disclosure responsibilities.
MSB – the Money Services Business sector includes a range of services relating to the transmission or conversion of funds, such as dealing in foreign exchange, cheque cashing, issuing or selling traveller’s cheques or money orders, providing or selling prepaid access, and money transmission.
PEP — a Politically Exposed Person is someone who has been entrusted with prominent public functions (e.g. heads of state, government, judiciary, central banks, diplomats), their family members or associates.
SAR/STR — Suspicious Activity Reports or Suspicious Transaction Reports take account of a customer’s transactional and non-transactional behaviour. Deposits and funds transfers are examples of the former; address changes an example of the latter.