Despite the record fines meted out to the banking and financial services sector recently, money laundering is increasing year after year. But governments and regulators are pushing back globally – with consequences for financial services of all types.
Martin Morris talks to experts across the banking industry to understand the scale of the money laundering challenge, how new regulations might help keep banks within the law – and why new rules need to be shadowed by better training and technology.
Last year was a fruitful one for global regulators. A total of $10.4bn in fines were imposed across the banking and financial services sectors, covering a range of infractions – with everything from anti-money laundering (AML) and know your customer (KYC) to data privacy infractions all featuring. Even so, these successes quickly pale when compared with the estimated $2.1trn that financial crime costs the global economy each and every year.
To put it another way, staying ahead of the criminals and their avalanche of fraud can prove remarkably tough for governments and officials alike. That’s true even when new regulations promise to boost the fight against fraud.
The EU’s new AML Directive (AML6), due to be fully implemented in June this year, is a case in point. Put simply, the new regulations significantly widen the scope of data banks now need from clients. Combined with some thoughtful analysis – and better technology – the new rules have a chance to stop the worst money laundering offences in their tracks.
Too much information?
When trying to understand the customer’s field of business, it’s important for banks to obtain enough information to spot fraud. Yet as Marius Galdikas, CEO of online banking services provider ConnectPay explains, older legislation comes fraught with problems. Between uncertainty about how much information banks need to collect – and the related fear of non-compliance – he says that banks have often placed “excessive demands for the customer, which increases friction and damages the overall customer experience”.
In other words, says Galdikas, the historical situation leaves little room for financial institutions to manoeuvre between compliance and facilitating a smooth KYC process. AML6, however, promises to change all this.
By harmonising the definition of money laundering across the EU, and specifying exactly when banks are liable in the event of a crime, it makes the whole KYC process far simpler. In the payments sphere, the introduction of ISO 20022 from next year will mean the creation of a common global language for payments data, and bring about a number of enhancements to the global payments network.
Against this backdrop, moreover, digitalisation in the banking sector continues apace – presenting significant opportunities when it comes to battling financial crime. As Daniel Mikkelsen, a senior partner at McKinsey puts it, more data-driven approaches are being introduced across the spectrum of financial crime risk management.
That ranges “from advanced analytics to monitoring transactions and identifying suspicious patterns or networks, to the use of better-connected data sets to identify events that indicate that clients pose a higher crime risk for financial institutions”.
Among other things, Mikkelsen continues, this is driven by regulatory technology firms looking to innovate beyond legacy systems and processes – common across the bigger financial institutions.
“Technology and analytics, including real-time connectivity, could revolutionise financial crime risk management and allow for a more effective and efficient operating model.” – Daniel Mikkelsen, senior partner, McKinsey.
Taking predicate offence
All well and good. From a practical standpoint, however, once the new rules become fully operational, and new technology comes online, there is every likelihood that financial institutions will have to train or remind some employees to take account of the new and expanded risk environment.
After all, core to any bank’s governance – in terms of AML strategy at least – is the robustness of its KYC procedures. And, given the regulatory environment is becoming increasingly complex, the cost of making a mistake is potentially high.
A perfect example of this is the money laundering scandal that rocked several northern European countries in 2019. The scandal’s waves initially washed up at Latvia’s ABLV, before moving on to the Estonian branch of Danske Bank, and later drawing in Swedbank – with the Nordic bank subsequently firing its chief executive and most of the board in the aftermath.
Key to Swedbank’s problems were lax internal controls in its Baltic units, principally Estonia and Latvia. The fundamental issue was that both units continued to pursue risky non-resident customers as a business strategy. Swedbank’s Estonia unit even accepted customers off-boarded from another Estonian bank – after it had decided they were a likely money laundering risk.
Compounding the problem, Swedbank employees kept certain information about who owned these new accounts outside the bank’s regular customer databases, instead hiding it in a safe. Obviously, that made it difficult to figure out if these people were criminals or under sanctions.
In the wake of the scandal, Swedbank tightened up its customer due-diligence controls, and now also insists that any new relationship with a so-called ‘politically exposed person’ (essentially individuals, like terrorists or war criminals, who are under international sanctions) is first approved by an authorised decision-maker. Another way forward is Invidem.
A joint initiative by Danske Bank, DNB, Handelsbanken, Nordea, SEB and Swedbank, Invidem is a simplified way of information sharing – with the ultimate aim of making the KYC process far smoother.
Though the founding banks are also Invidem’s first customers, the expectation is that its services will eventually be expanded to include other banks, as well as non-banks, impacted by money laundering regulations. That includes insurance companies, auditing and accounting companies as well as real estate agents.
Diligence where it’s due
Rooting out dodgy clients via KYC procedures is one thing, but banks face major threats from elsewhere – not least from potential breaches to their systems. Data is commercially sensitive, and unscrupulous actors will happily extract any information if they can. Obviously, prevention is better than cure and the Threat Intelligence-Based Ethical Red Teaming for the EU (TIBER-EU) framework tries to address the issue.
Promulgated in May 2018, and developed by the ECB and EU Central Banks, TIBER-EU is designed to be the new standard for threat intelligence gathering and cyber resilience fortification in the financial services industry. TIBER-EU tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence.
These tests are specifically designed to simulate an attack on the critical functions of an entity and its underlying systems – in other words its people, processes and technologies. However, the tests don’t just pump out passes or fails. Instead, the whole process is simply intended to reveal the strengths and weaknesses of the organisation being tested, in turn helping it reach a higher level of cybermaturity.
As good at this sounds in theory, implementation of TIBER testing varies. As Mikkelsen explains, the approach is well established in relation to certain types of financial crime, including cybersecurity, but is less developed in others – notably anti-money laundering.
A related problem, says Katie Jackson, a partner at Deloitte Forensic, involves the limitations of what regulation can achieve in isolation. For example, governments need to do more to ensure their unique understanding of threats is shared effectively with partners in business to
inform and prevent risk.
“Financial intelligence units [FIUs] should be staffed and empowered so they can scale up their analysis of suspicious activity and transaction reporting to identify emerging threats and risks that can be shared,” explains Jackson. “The absence of feedback from FIUs has long been a complaint made in the AML field in particular.”
Happily, there’s increasing evidence of enhanced collaboration across financial institutions and public-sector agencies. One example, of course, is Invidem. Another is the transaction monitoring utility in the Netherlands, made up of a coalition comprising ABN Amro, ING, Rabobank, Triodos Bank and de Volksbank. Mikkelsen says this trend will continue across countries, and indeed expand to include more participants, including financial institutions, regulators, industry groups, and intelligence agencies.
“Such initiatives are premised on the ability to share information and data for the purpose of detecting and preventing financial crime, which is key,” he explains. “In addition to this, technology and analytics, including real-time connectivity, could revolutionise financial crime risk management and allow for a more effective and efficient operating model.”
In the meantime, vendors are building innovative approaches to detection using machine learning, network analytics and contextual approaches to increase the effectiveness and efficiency of detection. “We have identified the key criterion as a separate part of the application process allowing us to segment clients more diligently,” explains Galdikas of a new system at ConnectPay.
“This now allows us to build automation that considers requirements from different jurisdictions and industries, saving time for both us and our customers, and pre-empting any unnecessary communication ‘ping-pong’ that may appear down the road.”
All good news. More generally, though, you get the sense that addressing financial crime is like the painting of the proverbial bridge – a job that can never quite be completed. Cybercriminals, if no one else, will see to that.