No matter how much the globalisation theorists may want you to believe, the world post-9/11 is no longer flat but rather has become an undulated surface. The 2008 recession has only added fuel to the fire. On the one hand, the growing threat of terrorism has made us increasingly insecure and paranoid, while on the other many nations are responding to continued recession, economic disparity and unemployment by raising new barriers under the garb of nationalism. While the liberals may be enthused by the digitally linked globe and still swearing by the global bonhomie, the fears of conservatives may not be all wrong.
When the systems were archaic, the impact of any misuse was also limited and localised. However, in an interconnected world, the smallest of breaches can snowball and can be exploited for ulterior gains. It’s a dichotomy that while digitalisation is a tool for democratisation, it has also been used as a weapon to spread hatred and undertake large-scale money laundering to support the terrorism and drugs machinery.
As per the UN Office of Drugs and Crime estimates, the amount of money laundered globally is anywhere between 2-5% of global GDP, or USD 800bn – USD 2tn per annum. Other estimates put it to USD 2.5tn, almost the size of India’s nominal GDP.
Rapid change in technology paradigm is making even the best of financial institutions and government agencies unsure if they can have an edge over the new-age launderers, and for how long. Data breaches and system hacks are the new normal. New cracks and loopholes appear every day.
“The new theatre of war is the modern financial infrastructure,” says Tom Lin in his article ‘Financial Weapons of War’. And in this war of good against evil, the reluctant banker has been pushed to the frontline.
Bankers don’t maketh a valorous warrior
2008 has upended many variables in the profitability equation of banks. Rapid technology advancement and consequent disruption have put their legacy systems on the edge of obsolescence. Increased competition, lower credit off-take and poor sentiments have impacted the margins adversely. While much of this may appear to be a sequential trough in the economic cycle, there is a black sheep in the lot: compliance costs.
To their credit, banks have tried to adjust by shutting businesses, closing branches, exiting locations and right-sizing workforces, but the spiralling compliance costs ate up all the benefit. The mortgage crisis and sanctions-related investigations revealed material lapses on the part of the banks. The consequent regulatory push to make anti money laundering (AML), countering financing of terrorism (CFT), fraud prevention, tax evasion and regulatory reporting practices airtight led to a frenzy to augment their compliance departments.
Citigroup, for example, increased its risk, regulatory and compliance team from 14,000 (4.3%) in 2008 out of a total 3.23 Lakhs employees, to 29,000 (13.2%) in 2016 out of 2.19 Lakhs. It’s a similar story for other banks. Over the last few years, banks have paid USD 321bn in compliance-related penalties while simultaneously grappling with the cost of implementing FATCA, CRS and numerous other country specific regulations. The trend isn’t waning.
The 2016 Thomson Reuters Cost of Compliance Report noted that 69% of the institutions surveyed “are expecting regulators to publish even more information in the coming year, with 26% expecting ‘significantly more’”, and “three quarters of firms are expecting the focus on managing regulatory risk to rise in 2016″. A WealthInsight report estimates the AML compliance costs to grow at CAGR of 8.86% to $8.2bn in 2017.
It’s obvious that such en masse hiring and the high costs of waging war against money laundering is unsustainable. Maybe the traditional approaches to regulatory and AML compliance are inefficient. Or maybe the regulators have chosen a wrong warrior to man the border outpost!
How banks check money laundering
Banks broadly use a three-pronged strategy to check money laundering and fraud:
- Profiling. Banks undertake KYC (know your customer) and CDD (customer due diligence) to identify linkages, ultimate beneficial owners (UBO), establish the legitimacy of business and source of money. Some categories like PEP (politically exposed person), public figures, money services et al are then assigned a higher risk grading. This risk-based assessment (RBA) grading determines the intensity with which to monitor the respective customer account.
- Transaction monitoring of inflows and outflows in the account helps to identify anomalies. The back-end systems screen the transactions on pre-specified rules such as the spike in the value or volume of the transaction, or the counterparties the customer is dealing with. These checks are based on materiality thresholds, decided either by the bank officials or guided by regulators (for example, Reserve Bank of India stipulates monitoring of cash transactions above 10 Lakhs, or like the Bank Secrecy Act (USA) mandates transactions above $10,000 to be verified).
- Database match with negative lists of various institutions, including Interpol, OFAC, FATF, EU, ECGC, RBI et al to filter out obvious defaulters and criminals. Banks also use database screening services such as World Check or Factiva to identify any other linkage to politicians, public figures, sanctioned jurisdictions or criminals, and perform basic web or media search for any negative news.
Overall, the banks perform screening at transaction level, account level, customer level and industry/peer group level. Anomalies thrown up by all these checks are then manually verified, first by the front-end teams and subsequently by the compliance staff, to determine the veracity. Any transaction assessed as suspicious is reported to regulators through a suspicious activity report (SAR).
While this approach has evolved over time and has helped in reducing money laundering, the significant amount of manual checks and judgemental bias reduces consistency and ultimately fails to provide an effective and efficient AML system.
Challenges to AML process
The legacy systems have various shortcomings, causing numerous challenges in creating a robust AML system.
- Large number of transactions. As per Capgemini’s World Payments Report 2016, the global non-cash transaction volume in 2014 stood at 387.3 billion and estimated to be 426.3 billion in 2015. It continues to grow with increasing digital penetration in the emerging economies, and as the growth of wearables and biometric-enabled payments systems convert more and more cash transactions to digital. Put briefly, the transaction data is too huge to be screened comprehensively. It’s difficult for any large bank, with millions of transactions per day, to screen all the transactions in a short time window using a legacy system, especially when the market is increasingly demanding real-time settlement TATs (turnaround times). The alternative is to perform sample-based checks, which leads to ‘miss out’.
- Assessment based on past trends. One significant drawback of the legacy AML systems is that these are designed to monitor known behaviours based on past trends. Much of this is judgemental based on amount thresholds or spikes in transaction value and volume. The criminal minds, however, have enough incentive to work out elaborate schemes over long periods and continuously find new loopholes. Smurfing (or structuring), for example, is a common tool used by money launderers, where they deposit a small amount of money in multiple accounts over a long period of time. Since there’s an established regularity of transactions, most of them being of small value, a rule-based system may not find any anomaly for long periods.
- False positives. A major challenge with the generic rule-based systems is the large number of false positives they throw up. This is a huge productivity loss, because each match needs to be manually vetted by bank employees, requiring discrete customer interviews and EDD (enhanced due diligence) to ultimately conclude that the transaction is genuine in 99%+ cases. As the bank is screening an extensive data set and verifying it manually, such a practice may be somewhat helpful, but is cumbersome and highly inefficient.
- New payment methods. Innovation in payments has opened new avenues for money launderers. The increased penetration of mobile banking, prepaid cards and credit cards has improved the hit rate of finding gullible people for skimming, phishing attacks and identity theft. The advent of cryptocurrencies such as bitcoin poses another big challenge, and beyond the control of banks, as these are peer-to-peer, completely anonymous with no engagement of a formal banking system. The 2010 FATF report on money laundering using NPMs articulates the dangers:
- “Anonymity, high negotiability and utility of funds as well as global access to cash through ATMs are some of the major factors that can add to the attractiveness of NPMs for money launderers. Anonymity can be reached either “directly” by making use of truly anonymous products (i.e. without any customer identification) or “indirectly” by abusing personalised products (i.e. circumvention of verification measures by using fake or stolen identities, or using strawmen or nominees, and so on).”
- Skew towards structured data. Much of the statistical assessment to correlate various money laundering indicators is done based on the structured data available in the form of account statements, customer forms or external sanction or negative lists. This gives only a partial picture, as most of the structured data is conspicuous to the criminals and therefore may be stage-managed. While analysis of such data does throw up some correlation, it may be insufficient to establish causation, leading to multiple false trails and redundancies.
- Data silos. The technology landscape in a bank is typically a patchwork of varied platforms sourced from multiple vendors. In a universal bank, for example, while commercial banking may be using a specific CRM or workflow system, retail banking may have another platform linked to a core system for transaction processing and customer life cycle management, and all these may have no relation to the trading or tracking system used by the Treasury. While this creates a challenge of interoperability, the problem from an AML point of view is to integrate the data generated from each. This data integration takes time, causing a significant lag in creating a comprehensive management information system (MIS) , much after the event has already happened.
- Every bank is an island. There is limited interaction between the banks to share their AML best practices, and a launderer can always move banks in case they feel the bank is getting suspicious or asking too many questions. The information of attempted fraud or lapses does get centralised with regulators (such as the Central Fraud Registry of RBI, or the list from Financial Action Task Force (FATF), a global intergovernmental body) but is available for use only much later. A real-time entity level alert system may help plug the gaps across banks.
- Manpower dependence. Since time immemorial, there are numerous stories of money launderers conniving with bank employees to falsify or omit key details or data points that the bank systems are designed to check. As per a recent RBI report, during April-December 2016 a total of 450 employees from various public and private sector banks were found to be involved in cases of fraud totalling 3,870 cases, and with a value of Rs 17,750. Similarly, in 2014-15, BNP Paribas was found guilty by the US authorities of deliberately omitting key details in transactions pertaining to sanction countries such as Iran, Sudan and Myanmar. They were fined $8.97bn and faced a one-year suspension on USD clearing.
- Training gestation. A corollary to high manpower dependence is the difficulty in hiring resources with the right skill set. The compliance staff is not only required to understand and implement the ever-changing internal policies, but also needs to keep abreast with the ever-evolving regulatory guidelines. Banks must ensure staff is trained regularly to build required internal expertise. These trainings are, however, not limited to compliance teams alone. The front-end relationship managers, service managers, tellers et al act as the first line of defence against money laundering and need to be sensitised and updated regularly. This implies long training gestations and ever-increasing budgets.
How technology is helping overcome AML challenges
While challenges abound and complexity continues to increase, thankfully the technology advancement in the last decade is empowering banks with new tools to tackle the menace.Ability to process large data on the fly. With the advancement in computing ability, storage capacity and big data analytics, large transaction sets can now be screened in real-time and in a cost-effective manner. As per the reports, the new age chips have reached a level of processing 1.78 trillion instructions per second. This is handy considering banks have a small window to provide go/no-go authorisation even as more and more transactions are now required to be processed in real-time. Even the post facto analysis of historical data can be done much faster and with multiple variables in a much larger data set. Banks need not be restricted by sample-based checks. Better data visualisation. The biggest spin-off of the advancement in analytics is the improvement in data visualisation tools. With the advanced graphical representations, the compliance teams and senior management can see comprehensive dashboards derived from a large amount of transaction data. These tools not only improve visualisation and easy identification of patterns, they are also interactive and enable deeper data mining and querying capabilities. This helps identify interlinkages between accounts, which were otherwise hidden under layers of multiple entities and simply overwhelmed the system. Predictive modelling. The advancement in statistical modelling tools is helping banks proactively identify problem areas. The clustering techniques bring the capability to easily modulate multidimensional data. For example, proximity analysis may indicate that seemingly unrelated entities in the same locality may really be a case of layering. Using such tools, banks can red-flag geographical, demographic or transactional clusters. As machine learning improves, response times reduce and the system becomes increasingly better as more data is fed in. With further advancement in neural networks and artificial intelligence, these AML systems will go beyond anomaly identification and acquire the ability to accurately judge the probability of the transaction being genuine or fraudulent/laundering.
The increasing legal and regulatory complexity is another challenge for the banks, and they spend a significant amount of money in consultancy and lawyer fees. With the development of regulatory bots, banks will be able to determine the legality of a transaction without waiting for days for internal and legal teams to respond. Regtech tools such as Suade, Silverfinch, Osis and many others are already aiding automation of regulatory reporting while simultaneously reducing costs and improving accuracy. These may ultimately become a bridge between regulators and banks to deal in real-time.Blockchain and smart contracts. Beyond bitcoin, one of the important use cases of blockchain is its ability to tamper-proof documentation and contracts. It’s already being experimented with Ripple, Ethereum and other such platforms offering blockchain-based KYC and trade transaction solutions. Mixed with good AML practices, blockchain can provide a foolproof way to make identity duplication, forgery and omission nearly impossible.
The onus is still on banks
As inventor and futurist Ray Kurzweil predicts, the machines are likely to become as smart as a human brain by 2020. The fears of evil AI taking over the world may make you even more paranoid, yet the dangers posed by humans to humans is no less worrying. It seems for the AML cause, technology will benefit us more than the unforeseen dangers it poses, by helping build robust AML processes and making life a bit difficult for criminals. Though some of the development is still nascent and may take some time before becoming mainstream, but clearly the onus is on banks.
I’m hopeful that 2017-18 will see a change, with more banks adopting new age tools and investing in innovation to bring more technology in anti money laundering efforts, instead of blindly hiring more compliance staff.
– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. Read more here. Image by Perzeus, Shutterstock.com