As the Deadline Nears…Seven things to watch out for in 5 AMLD

As the Deadline Nears…Seven things to watch out for in 5 AMLD

The European Union’s Fifth Anti Money Laundering Directive (5 AMLD) must be implemented in national law by 10 January 2020. The Anti Money Laundering Directive has been continually updated and tightened ever since its introduction in 1990 with a view to making it harder for money launderers and terrorists to move their cash in and out of, and around, the EU. We highlight five things to watch out for in this latest iteration.

  1. New sectors affected

Until now AML rules have affected banks, accountants, building societies and gambling operators, plus accountants and lawyers. In addition to requiring these to comply with new rules and to review their existing procedures, 5 AMLD will affect new sectors. Most directly affected will be estate agents and intermediaries for properties with monthly rents in excess of € 10,000. They now fall under AMLD jurisdiction, as do the beneficial owners of such properties. Information on real estate ownership must be made available to the relevant public authorities. Clearly in view here are investments in valuable properties, for example in central London, which have served as a useful medium for drug traffickers and illegal arms dealers etc. to launder the proceeds of their activities. Anyone involved in high-end real estate will be under pressure to review when and how often they verify the identity of their customers to establish beneficial ownership.

The art world was not explicitly within the scope of 4 AMLD or previous iterations of the directive. Now, despite fierce resistance from the art world, 5 AMLD will require auction houses and art dealers also to undertake anti money laundering checks on customers. Establishing systems to carry out such checks will carry significant resourcing implications, and any failure to undertake checks with sufficient rigor can attract criminal penalty, for both institutions and their directors.

5 AMLD updates the current directive to include the following within the definition of “obliged entities”: persons trading or acting as intermediaries in the trade of works of art, including when this is carried out by art galleries and auction houses, where the value of the transaction or a series of linked transactions amounts to EUR 10,000 or more. This applies whatever the method of payment: cash, cheque, bank transfer, bitcoin etc.

All of this means that the estate agents, rental intermediaries, art galleries and auction houses affected must act now to put AML processes and procedures in place, and invest in the necessary technologies to meet their new obligations. These include registering with the relevant authority, conducting a money laundering risk assessment and carrying out customer due diligence especially in relation to transactions or business relationships that involve persons established in a high risk third country (see below), politically exposed persons etc.

In other words, quite a few companies will face a new resource burden. This will also affect their financial services providers, lawyers and accountants, so they should seek advice on how to ensure that compliance is cost-effective within their financial means.

2. Catching up with new technologies

The speed with which 5 AMLD has followed hot on the heels of 4 AMLD reflects the speed of technological change and the new ways in which business is conducted. Under 5 AMLD custodian wallet providers and virtual currency exchange platforms will fall within the scope of AML laws, as they too have been added as new “obliged entities”.

5 AMLD also allows and indeed promotes the use of electronic identification for customer due diligence. This directive stipulates a need, whenever possible, to use electronic client verification solutions when undertaking due diligence obligations and KYC procedures. Institutions that have not already done so should invest in the technology for quicker onboarding of new clients through instant results. Not only does it help ensure compliance, it also improves the customer experience.
Also, financial institutions across the globe are transitioning to artificial intelligence and machine learning technologies to help improve pattern detection, increase automation and alert accuracy.  

3. Tougher enforcement

There will be new national bank account registers in each EU Member State to enable easy access by law enforcement authorities to bank account information for all bank accounts held in that Member State. The registries will all be interconnected between Member States. In addition, enforcement authorities will be able to request information from an obliged entity even where no Suspicious Activity Report has been filed.

4. Tighter controls on high risk third countries

Credit institutions dealing with business relationships and transactions involving high risk third countries or having establishments in these countries may be particularly affected. The current list includes Afghanistan, Ethiopia, Iran, Iraq, North Korea, Pakistan, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, and Yemen. It has been proposed to add American Samoa, Bahamas, Botswana, Ghana, Guam, Libya, Nigeria, Panama, Puerto Rico, Samoa, Saudi Arabia, and the US Virgin Islands. 5 AMLD prescribes enhanced due diligence measures for business relationships or transactions involving high risk third countries, and also allows Member States to restrict obliged entities from opening branches/subsidiaries in high-risk third countries, and to restrict the opening of branches in a Member State of an obliged entity based in a high-risk third country.

5. Public scrutiny of beneficial ownership  

There will be wider access to each Member State’s central register of beneficial ownership of corporates. Any member of the general public can access basic information without the need to demonstrate a “legitimate interest” (this is already the case in the UK). There is also a new “discrepancy reporting requirement” that will require obliged entities to report any discrepancies they find between the information that they hold, and the information on the register.

5 AMLD also extends  beneficial ownership reporting requirements to any legal arrangement that is similar to a trust, as well as tax-neutral trusts. It also widens access to the central register of beneficial ownership to any person who can show a “legitimate interest”. It is left to the discretion of individual Member State to define legitimate interest, although 5 AMLD states that the definition should not restrict the concept to cases of pending administrative or legal proceedings, and should take into account the preventive work undertaken by non-governmental organizations and investigative journalists in the field of anti-money laundering, counter-terrorist financing and associated predicate offences.

6. Brexit has no impact

The United Kingdom has committed to adopting 5 AMLD along with the rest of Europe, either as part of the proposed transitional arrangement or some other deal which requires regulatory convergence in return for preferential access to the Single Market. Even in the event of a “no deal” Brexit after the transitional period, the UK – as a leading member of the Financial Action Task Force on Money Laundering (which sets the standards which underpin EU anti-money laundering law) – is unlikely to let UK AML standards fall behind those applicable elsewhere in Europe.

7. Other

Other new regulations include the ban on anonymous safe-deposit boxes and the subjecting of more prepaid instruments to due diligence (e.g. gift cards and travel cards). The threshold requirement on these has been reduced from €250 to €150. Finally, if that is not enough to take in, Member States will be required to transpose the next iteration – 6 AMLD – into national law by 3 December 2020.  After which, relevant regulations must be implemented by firms within Member States by 3 June 2021.
One of the positives about 6 AMLD is that it is more specific on the offences that all EU Member States must criminalize – 22 so-called predicate offences for money laundering in total. In addition to the obvious ones these include environmental offences, cybercrime, and direct and indirect tax offences.

Wishing everyone a Happy and Healthy Holiday Season!

Please join the conversation at AML Knowledge Centre https://www.linkedin.com/groups/8196279/

written by Paul Allen Hamilton https://www.linkedin.com/in/paulhamilton2/

Artificial intelligence: Reducing the AML Compliance Burden

Artificial intelligence: Reducing the AML Compliance Burden

How did we get here?

Since 9/11 financial institutions have made enormous investments in their anti-money laundering compliance programmes, but they are still faced with manual processes and complexities in complying with financial crime regulations. “One would be hard-pressed to suggest that banks are ignoring the need for better customer due diligence,” KPMG reported in March 2019. “Indeed, according to a recent Forbes article, some banks spend up to US$ 500 million each year in an effort to improve and manage their KYC and AML processes. The average bank spends around US$ 48 million per year. In the US alone, banks are spending more than US$25 billion a year on AML compliance.”

Much of the growth in costs is driven on the one hand by fear of fines for non-compliance (US$24 billion in non-compliance fines since 2008, but the cost to reputation can be higher) on the one hand and, on the other hand, by the need to address the high false-positive rates resulting in significant remediation efforts that rules-based systems generate.

Even though, financial institutions are the ones being fined they are by no means in this alone. There is an ecosystem of consultants, research companies, software vendors who also need to be held accountable to their clients.     

The reality is that few of the first generation AML systems were built to fight crime! These systems were mostly the by-product of business intelligence (BI) software products (as opposed to AML or financial crime solutions) that were originally created to provide insights into corporations’ past performance. Many of these systems are programmed using code that dates back to the eighties!  

After 9/11, many vendors seized the opportunity to position their BI software as AML compliance solutions. Consequently, financial institutions find themselves combatting sophisticated fraud, money laundering, and terrorist financing schemes with outdated BI software using code that dates back to the eighties!  

This is analogous to competing in this year’s Formula One driving Jackie Stewart’s Tyrrell or Alain Prost’s Renault.

No wonder, the expectations of many financial institutions’ compliance departments haven’t been met. With an exceptionally high rates of false positives, i.e. somewhere between 75 and 90 percent of alerts. In fact, many financial institutions’ compliance programs have continuously felt under-resourced compared to the volume of alerts and reports they must review while trying not to disrupt good business. Thus, financial institutions felt compelled at least those that could afford to do so built offshore entities taking advantage of lower labour costs to maintain their systems and manage their KYC alerts.

With all the attention on false positives, false negatives have a much better chance of slipping through the workflow. 

The risk-based approach was supposed to help financial institutions to get a grip on the high-rate of false positives by profiling customers and segmenting them based on their risk exposure. However, clustering customers into segments/categories based merely on products, channels, transactions, geographies, and industries and then building generic rules with arbitrarily selected thresholds was a simplistic approach, to say the least, and somewhat naïve from regulators.

Moreover, all this is happening at a time when legislation has made it easier for customers to swap from one financial institution to another. Rather than risk annoying good customers by constantly asking intrusive questions as a result of false alerts, banks have often further refined the number of segments … to the point that they become unmanageable.

The light at the end of the AML tunnel

Everyone in the AML ecosystem has come to realize that a better approach is needed, especially when it comes to verifying false positives. Basically, the whole industry is banking (pun intended) on big data, artificial intelligence (AI) and machine learning (ML) to help simplify complex processes and automate repetitive tasks. Therefore, the expectations for AI are overwhelmingly high according to PriceWaterhouse Coopers estimates, the contribution of AI to the gross world product by 2030 to be around 14 billion euros.

AI has the potential to remove the chains from AML compliance staff allowing them more time to deal with non-routine events and complex cases as well as having better information through a cleaner, more traceable process to make objective decisions.

Of course, machine learning models can process tremendous amounts of data, but ML systems still need to learn the difference between a false positive and a false negative and that in real-time. But there are challenges that need to be sorted out.

As with every new technology wave: CRM, business intelligence, big data, predictive analytics, or artificial intelligence, etc. technology companies can’t resist the temptation to sprinkle the latest buzzwords on every bit of their software like fairy dust. This gold-rush atmosphere also has its downsides. In March the Financial Times reported that 40 percent of European AI start-ups do not actually use AI programs in their products, according to an investigation by the investment company MMC Ventures.

First, there simply isn’t enough well-structured data at most companies that can be used for teaching these ML / AI models. IBM’s Watson, named after the company’s first CEO, has learned this the hard way. Originally developed to answer questions using natural language processing (NLP), and then as a system to assist in the diagnosis of cancer, as of June 2017, the Watson artificial intelligence platform had been trained on six types of cancers which took years and input from a thousand medical doctors. 

A second, challenge is that criminals are always adjusting and trying new schemas and a third is that the financial services landscape is itself changing continuously, leaving ML and AI platforms with a real-time knowledge gap.

So, caveat emptor: these systems require months and in many cases years of laborious training, and a lot of support by expensive compliance experts and data scientists. The experts must feed vast quantities of well-structured data into the platform for it to be able to draw meaningful conclusions, and these conclusions are only based upon the data that it has been trained on, i.e. what happened in the past. An implementation project will involve:

  • Learning the transaction behaviour of similar customers 
  • Pinpointing customers with similar transactions behaviour
  • Discovering the transaction activity of customers with similar traits (business type, geographic location, age, etc.)
  • Identifying outlier transactions and outlier customers
  • Learning money laundering, fraud, and terrorist financing typologies and identify typology-specific risks
  • Dynamically learning correlations between the alerts that produced verified suspicious activity reports and those that generated false positives
  • Continuously analysing false-positive alerts and learning common predictors

For the most part, financial crime will be driven by advances in technology and this marriage of regulation and technology is not new in itself. However, with the continual increase in regulatory expectations, the staggering levels of cyber-attacks against financial institutions and the disruption of new instant payment initiatives will not make it easier on people working in compliance. 

In brief, these innovations address many gaps in today’s financial crime programmes by improving automation in the detection of suspicious activity, which would be a significant move from monitoring to preventing financial crime while being more cost-effective and agile. Financial institutions that have already been down this path before and have been disappointed would be wise to start with small-scale pilot projects with limited scope, using agile software delivery methodologies.

And above all, they need to invest in data quality as it is a key component of any successful financial crime program. High-quality data leads to better analytics and insights that are so important not only for accurately training ML and AI models, but also to drive better decisions.

Paul Allen Hamilton

Visit us at: AML Knowledge Centre (LinkedIn) 

Panel Discussion – Blockchain & KYC Hype to Real Applications

Panel Discussion – Blockchain & KYC Hype to Real Applications

It was a pleasure for me discussing – Blockchain & KYC Hype to Real Applications – with the other panel experts: Roman Stammes, Yana Afanasieva, Robert Engmann and moderator Anne Bailey at the Blockchain Enterprise Days 2019 in Frankfurt

Millions of dollars and countless business hours are being spent on Know Your Customer (KYC) process by banks every year. These costs are increasing due to AML requirements. Blockchain technology can be utilized to ease this process by offering banks and FinTechs transmissible digital identities, saving time and money. Blockchain technology can improve data quality and result in better governance. There has been a buzz about KYC and blockchain for some time now but actual large scale implementations are still to be carried out. In this panel we will talk about the current status & furture of Blockchain for KYC & AML.

The panel discussed the following points:
– What are the benefits of blockchain implementation in KYC process if any?
– Any specific examples of successful implementation?
– We see government collaboration between middle eastern and Asian banks to fast-track the use of blockchain for KYC & AML. Have there been any similar types of collaborative work in Germany and EU?
– Is standardized KYC necessary and would banks agree on that?

It would be interesting to know how many of you feel that Blockchain will help streamline KYC processes?

Also big thanks to @KuppingerCole Analysts AG and their team for organizing this important event!

Follow the AML Knowledge Centre on LinkedIn at https://www.linkedin.com/groups/8196279/ or connect with me at https://www.linkedin.com/in/paulhamilton2/

  

Money Laundering in a Digital Age – The Perfect Storm

Money Laundering in a Digital Age – The Perfect Storm

The new Black

With the rapid advancement of mobile technologies, the internet is now accessible from any- and everywhere. Open banking (PSD2) in the European Union, together with mobile wallets, instance payment initiatives and cryptocurrencies offer consumers a lot of ways to engage with financial institutions 24/7. Therefore, in today’s environment, customer expectations are constantly changing and it’s imperative that financial crime and Anti-Money Laundering units keeps pace.

No doubt that the widespread use of mobile devices is accelerating the rate and impact of financial crime. Today, mobile subscriptions outnumbered the world’s population as illustrated by Statista:

 

Which in turn, has spurred the use of mobile banking apps and the way consumers pay for generic services, in general altering us into a cashless society.

With new regulations such as the Payment Services Directive (PSD2), the European Union has set the rules for open banking, allowing FinTechs access to traditional financial institutions’ systems and customer data. Everyone is a winner, the benefits of open banking are enhanced customer service for under-served markets, new revenue streams, and improved margins.

While this presents major opportunities for everyone it places a lot of responsibility on those tasked with keeping a financial institution from being compromised by cyberattacks or used as a vehicle to launder money.  

How will current financial crime & anti-money laundering systems work in a digital world?

It’s difficult enough for financial institutions to monitor and detect violations of transactions taking at best 24 hours to clear. With digital payments clearing in real time the impossible becomes totally impossible using conventional methods as transactions clear in a matter of milliseconds. By conventional, we mean systems focused on a rule-based approaches, where suspicious transactions are put in a queue and investigated in an overnight batch mode.

Even in a world operating in batch, AML systems generate too many false positives (typically between two and 15% of all transactions) and therefore imposes a huge workload on banks and financial investigation units (FIU).

 

Number of Suspicious transactions reported to UIF in the UK: +51% (’12-16), from 67K in 2012 to 101K in 2016

 

As digital payments continue to increase, this problem is greatly scaled because banks are under pressure from customers and consumers to clear transactions as quickly as possible and still make sure that risk and compliance systems flag all risks and suspicious activities. 

 

The Internet of Things

 

Once upon a time, cybercriminals focused their efforts on PCs. However, with the average user spending about five hours per day on a mobile device, with roughly 70 percent of those smartphone devices not having an anti-virus program installed on them, sensitive data (e.g. contacts, passwords, emails, documents, photos, etc.) are exposed to cyber threats. Therefore, we have witnessed a sharp increase in new mobile malware, because criminals will always take the path of least resistance.

The Internet of Things (IoT) is driving the interoperability of physical devices, vehicles, home appliances and other electronic equipment through sensors and software enabled apps.

The number of online-capable devices was believed to have increased to 8.4 billion by 2017 and by 2020 experts estimated that 30 billion objects would be online, with a global market value of $7.1 trillion.

The Nokia Threat Intelligence Report 2H 2016 estimated that more than 100 million devices worldwide have been infected by malware, including mobile phones, laptops, notepads and a broad range of IoT devices. 

The same report stated that smartphones were more often targeted, accounting for 85 percent of all mobile device infections and smartphone infections increased 83 percent during July through December, compared to the first half of the year. 

According to Check Point Mobile Threat Research’s 2017 report (“Mobile Cyberattacks Impact Every Business”) financial institutions, as the custodians of their customer’s money and data are a much sought-after target for cyberattacks.  Malware attacks by industry:

With the number of mobile devices already infected and the connectivity of devices rapidly expanding, cybercriminals have more routes to target than ever before.  

As crazy as it once seemed, cybercriminals attacking financial institutions via a coffee machine, smartphone or even an employee’s wearable health-check device is no longer science fiction. Also, this malware storm isn’t a regional threat but it’s path of destruction is universal.   The most impacted regions according to Check Point mobile threat researchers:

 

Source: Check Point Mobile Cyberattacks Impact Every Business

The Eye of the Storm

 

That said, financial institutions appreciate the importance of digital technology and are embracing an ecosystem that includes FinTechs. These ecosystems can help to provide more customer value and open new customer segments. At the same time, they bring new types of operational risks with them, such as:

  • Risky user behaviour. For example, 70 % of smartphone users have never installed an anti-virus program on their mobile device.
  • 24/7 connectivity of mobile devices to hotspots.
  • WI-FI networks and Bluetooth technologies making it easier for attackers to carry out a fraud campaign.
  • Rogue mobile applications, repacking of apps and ransomware are on the rise.
  • Advance malware & viruses for online as well as mobile devices continue to increase.

Currently, the data on mobile fraud isn’t as robust as with other channels. These operational risks need to be continually assessed to build reliable mobile fraud models without jeopardizing the customer experience. 60 percent of digital banking fraud originates from the mobile channel, according to figures published by RSA in 2018. This mobile banking fraud almost always involves thieves using RDC to deposit fraudulent checks, or cybercriminals using stolen identity credentials to hijack consumer bank accounts. This actually caused a dip in the growth of mobile banking as users sensed insecurity. Security and fear of fraud are the top two concerns about using mobile banking for up to 55 percent of consumers, according to Javelin Research. And with more than 25 million mobile devices infected by a single malware variant alone (Agent Smith) it is hardly surprising. The exact number of malware-infected mobile devices is hard to quantify, but in 2018 Kaspersky Labs and products detected:

  • 5,321,142 malicious installation packages
  • 151,359 new mobile banking Trojans
  • 60,176 new mobile ransomware Trojans

A point often overlooked is that your ecosystem is the weak link when trying to protect against external threats. One lesson learned is the degree of difficulty to detect a compromise until bad things start to happen, examples:

The Carbanak malware set in the banks’ computer systems for months, sending back vital information to hackers, who were then able to impersonate bank officers carrying out internal procedures at more than 100 banks around the world.

With complete control of mission-critical systems, they managed the transfer of millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into fake bank accounts set up in other countries.

If not for a video surveillance camera filming an ATM machine in Kiev, the Carbanak malware might never have been detected.

From the US$ 81 million stolen from the Bangladesh Bank in February 2016 only US$ 15 million has been recovered and there is still no word on who was responsible. Cyber attackers illegally transferred US$ 81 million from the Central Bank of Bangladesh (CBB), to several fictitious bank accounts around the world, by subverting their SWIFT accounts.

The Bangladesh Bank heist is a perfect illustration of the future complexity involved in monitoring instant payments.

The WannaCry virus, quickly infecting more than 200,000 businesses in 140 countries. locking computers until a ransom was paid.

Fighting Back with Innovation

 

The only credible answers are detection and transaction monitoring systems built on new technology, with machine learning and artificial intelligence at the core and not relaying only a rule-based approach.

 

Criminals don’t use rules

 

Algorithms that continue to improve, with the support from financial crime and AML professionals, these systems learn to identify suspicious activity where there is a higher probability of a financial crime committed and/or money laundering actually occurring. Therefore, bank staff can focus on the real alerts and not get swamped down in false positives.

Another technology-based approach that continues to develop, provides insights by taking large amounts of account data and generating a visual map. Suspicious relationships and payments can be tracked as they move between bank accounts, regardless of whether the payment amount is split between multiple accounts, or those accounts belong to the same or different financial institutions. The software creates a visual map of where and when money has moved, providing new insights and intelligence for fraud and compliance teams to take action.

By bringing together transactional data from multiple financial institutions and running sophisticated algorithms, such solutions can identify the so-called “mule accounts” that are used for money laundering and other illegal activity. Many of these accounts are not set up directly by the criminals themselves but via a number of scams including phishing, spam email, instant messaging etc.

It is worth pointing out that while technology is a necessary condition for successful financial crime and money laundering prevention, however, it is not the only tool. In addition, financial institutions will need to review their compliance procedures, risk assessments, and their service offerings to strike the optimum balance between competitiveness and security.

What should be the upper threshold look like?

Should priority to VIP and profitable customers be given when reviewing suspicious transactions? What about social and political issues? (For example, Muhammad is the world’s most common name, and also appears a lot on sanctions list. But that also means a significantly large number of false positives, which could lead to claims of unfair profiling.)

And finally, even with advanced technology and effective redesign of processes and procedures is meaningless without a sufficiently well-trained staff to detect suspicious customer behaviour and be reliable gatekeepers, especially at on-boarding of new customers.

 

Author Paul Allen Hamilton

For more articles on financial crime and Anti-Money Laundering join the AML Knowledge Centre at https://www.linkedin.com/groups/8196279/

Sanction Screening the Intensive Care Patient…Innovation the Cure!

Sanction Screening the Intensive Care Patient…Innovation the Cure!

However, minor the task of sanction screening or name filtering sounds it contributes to a significant amount of false positives and is a time consuming task that leaves less time for other AML patients.

And in today’s environment of tighter AML regulations, constantly evolving instant payment initiatives, open banking (i.e. API) and mobile wallets, as the complexity increases so do the false positives.

While this presents major opportunities it puts a lot of pressure on the risk and compliance systems at financial institutions, which need to detect and flag actual threats in real-time. And this new reality has arisen, let us not forget, at a time when regulators are imposing ever-increasing responsibility on those people who are tasked with keeping a financial institution from being compromised for money laundering and terrorist financing.

Therefore, screening individuals and entities is a key task as well as a legal requirement of any compliance program.

“A financial institution discovered, after employees returned from the weekend, hundreds of SWIFT payments had not gone out, because the system had falsely identified the beneficiaries as a sanctioned name or entity”   

The Challenges of Name Screening

Sanctions lists

Sanctions lists can be found in all formats and sizes. Some are country-based, often following United Nations resolutions to promote world peace and human rights; they prohibit certain if not all transactions. Other sanctions are motivated by politics and foreign policy at a national level, as is the case with the United States’ economic embargo against Cuba. A third category imposes targeted sanctions (e.g. the freezing of assets, travel bans and arms embargos) against specific persons, groups, undertakings and entities, as is the case with any terrorist group such as the ISIL (Da’esh) and Al-Qaida sanctions lists.

Many of the national sanctions lists are based on sanctions imposed under UN resolutions, so many of the names appearing on the UN lists also appear on supranational lists such as those issued by the European Union, as well as national sanctions lists such as the USA’s OFAC and the UK’s HMT lists.

Sanctions lists are fairly straightforward. The course of action regarding persons and entities on sanctions lists is clear – they are a no-go for most financial institutions and when confirmed a Suspicious Activity/ Transaction Report (SAR/STR) must be submitted to the local financial investigation unit (FIU) authority. Complication is manifested when a company is not on any official sanctions list, but a shareholder is, therefore you are required to treat it as a sanctioned entity.

Watch lists

Watch lists serve the purpose of assessing a client’s potential risk and includes (among others) PEPs. A politically exposed person (PEP) is someone who has been entrusted with a prominent public function and therefore presents a higher risk for potential involvement in bribery and corruption by virtue of their position and influence. The Financial Action Task Force on Money Laundering (FATF) issued its latest definition of PEPs in 2012:

  • Foreign PEPs: individuals who are or have been entrusted with prominent public functions by a foreign country, for example Heads of state or Heads of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials.
  • Domestic PEPs: individuals who are or have been entrusted domestically with prominent public functions, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials.

This distinction is important for a risk-based approach. Also it’s important to note that there are still countries who do not subscribe to the notion of domestic PEPs being a risk at all.

In addition, persons who are not politically active but who have been entrusted with a prominent function by a state-owned enterprise or an international organization, for example members of senior management, directors, deputy directors and members of the board or equivalent functions may also appear on watch lists.

Being on a PEP or other watch list obviously does not mean that a person is corrupt, but that person presents increased risks owing to the possibility that an individual holding such a position will have far greater opportunity to misuse power and influence for personal gain, or may be open to malign influence by a third party. A point that is often overlooked, but really important as bribery convictions reach all-time highs, is the risk that business partners may pose if they qualify as “public officials” based on their company’s ownership structure if fully or partially state-owned.

Law enforcement agencies, security authorities, national and regional agencies also disseminate various lists. These lists (e.g. Interpol’s Red Notices, the FBI’s Crime Alert List, Europe’s Most Wanted, Singapore Investors Alert and IOSCO consumer protection) can help financial institutions and other organizations avoid doing business with a wrong party and from being drawn into a fraudulent scheme or unwanted scandal.

Adverse media lists

Adverse media comes from a range of local, national and even global sources as well as online social platforms. Adverse media can support a financial institution or a corporate company’s decision to engage or not to engage in a business relationship based on the risk associated with the client from negative news. Adverse media can reveal potential involvement in money laundering, terrorism, various criminal activity and other potential crimes that could have a reputational backlash for a firm.

Lists in general

Although, many lists are publicly available, there are technical challenges because these sources have different ways of presenting information. Some offer well-structured information in downloadable XML files, others in CSV or delimited text files, while others can be drawn from social feeds, blogs, web posts and many are unstructured, and still other sources have online lists across multiple web pages, and some are even in PDF format only.

Not to mention the URLs are constantly being moved, without notice. Therefore, a firm’s name screening might not be including an important source, because the URL changed without notice.

Despite the apparent simplicity and straightforwardness of list screening, selecting the lists that will benefit all areas of your financial crime prevention program can therefore be a daunting task. Here are a few factors to consider:

  • The geographical jurisdiction(s) in which you operate
  • The requirements of local and foreign regulators in the area you operate
  • Your organization’s risk assessment – this must be consulted as a guideline
  • Is an appropriate data structure provided?
  • Does the list provider deploy technology that enables more cost-effective means of data deployment (e.g. through the cloud or interfacing via API)?
  • What formats are data files available in?
  • How up-to-date and “clean” is the data? The lists can hold millions of entries. How well does it manage duplications, expired records etc.?
  • An appropriate update schedule and updating by delta files are a “must have”
  • If an online search function is provided, what techniques are being used to match names?

Data

  • In many cases and for many reasons an institution’s data will have gaps and inconsistencies following the old data processing axiom of garbage in garbage out (GIGO). On the other hand, we’re trying to match against hundreds of lists that have different ways of presenting the information.
  • Inconsistency in basic things like abbreviations (Sr./Senior, Inc./Incorporated, AG/Aktien Gesellschaft, nicknames, etc.) and translations of words that have the same meaning but are spelled different e.g. Germany (EN), Allemagne (FR), Deutschland (DE) can all impact screening results.

Transliteration

A majority of the relevant lists published are in a Latin character set, while many of the names on them originate from countries that do not use the Latin alphabet. Therefore, names that are Chinese, Greek, Islamic, Russian and Thai, etc. must be transliterated from their home language to a Latin one. However, the complication does not end there. For example, in the Arabian Peninsula, Jamal is pronounced Jamal, in Egypt Gamal, and in Algeria Djamal. These are all the same Arabic word, but one that is spelled (transliterated) in various regional ways when written in English.

A further example of transliteration is the voiceless uvular plosive used in Arabic and other languages. It is pronounced approximately like English [k], it’s pronunciation varies between different languages and different dialects of the same language. The consonant is sometimes transliterated into “g”, sometimes “k”, and sometimes “q” in English.

For example, the former Libyan leader’s name can be spelled in various ways:

  • Gaddafi
  • Qadhafi
  • Kaddafi
  • Gadhafi
  • Ghathafi
  • Qaddafi
  • Ghadafi

Beneficial owners

Opaque ownership structures present a real challenge for KYC as criminals, and politically exposed persons (PEPs), etc. hide behind corporate structures.

A company might not be on an official sanctions list, but according to an Office of Foreign Assets Control (OFAC) rule it can be blocked if stakeholders who are on lists have ownership equal to or above 50 percent (this is known as the 50 Percent Rule); thus there is a good chance that the company in question will itself be treated as a sanctioned entity. To put it simply, if company X is blocked and it owns 50 percent of company Y, company Y is also considered blocked, even if that entity doesn’t appear on the OFAC Specially Designated Nationals (SDN) list.

For this reason, it is imperative that corporate ownerships are verified when dealing with certain countries and corporate structures to ensure that none of the beneficial owners are prohibited persons under OFAC regulations.

Practical Actions to take Now

Given the various points raised above, here are some practical steps you should take if you wish to make efficient use of lists and increase the effectiveness of sanction and Pep filtering:

  1. Data Integrity. Get your data in order. A database built on the principles of good data, properly spelled names, sound data structure, and format will go a long way to improving the identity matching process.
  2. Automated Data Collection at every point of customer engagement
  3. Do not simply perform risk assessment, “live it”. This is critical in leveraging the understanding of how these risk exposures impact technological decisions and operational areas of the institution.
  4. Test, test, test – perform random checks to ensure that technology and operational processes are working appropriately and are being consistently applied. Review reports to understand when and why changes are necessary.
  5. Check AML data providers for company credibility, data accuracy,
    well-structure data, depth of content, customer service/support, data quality verified by third party, etc

Apply Innovative Technology

Artificial Intelligence 

True, there is a lot of hype about Artificial Intelligence (AI) and most AI examples that you hear about today – from Google Assistant, Alexa, Siri, or Bixby, to self-driving cars – rely heavily on deep learning and natural language processing. Using these technologies, computers can be trained to accomplish specific tasks by processing large amounts of data and recognizing patterns in the data

Therefore, if you are serious about sanction screening and tackling money laundering with an acceptable return on your efforts and investment, you need to acquaint yourself with artificial intelligence (AI) and machine learning (ML).

Artificial Intelligence and Machine learning uses two types of techniques: Supervised, models are trained on data with known inputs and outputs (also known as categorized data) to identify potentially suspicious transactions. while Unsupervised, models are exposed to raw data to find hidden patterns or intrinsic structures that might signal money laundering or other financial crimes.

The importance of this is demonstrated with the use of supervised learning in sanctions screening where every payment transaction must be screened to check if any beneficiaries are on a sanction or watch list.

However, screening systems produce a lot of false positives that must be dispositioned by a human reviewer, before the transaction can leave the gateway or employees which are greeted by thousands of false positives after an overnight batch screening.

Hopefully, AI can be trained, well enough, to eventually takeover much of the task of reviewing these false positives. There can’t be enough said to the urgency of experimenting with artificial intelligence (AI) now as these models and algorithms need to be constructed, systems set up and then trained, tested, trained, tested and trained until these technologies are taught to address the repeatable high-volume of false positives.

That said, AI is not in itself a “silver bullet” and the process of getting these models up and running can be laborious, therefore, banks should consider cloud-based multi-tenant solutions that share out the cost burden and a can improve time to deployment.

Blockchain Technology

Other technological advances, such as distributed ledger (e.g. blockchain) technology, will help to improve banks’ ability to monitor complex, multi-part transactions. These “smart contracts” with advance algorithms, will allow financial institutions to securely parse data through an AML engine on the blockchain,” in this way banks can store and share data, thus eliminating excessive complex bureaucracy involved in information sharing.

Paul Allen Hamilton

I can be contacted on LinkedIn @ https://www.linkedin.com/in/paulhamilton2/

Photon Photo – Shutterstock

Demystifying blockchain: what it means for KYC

Demystifying blockchain: what it means for KYC

Hardly a day goes by without a news item concerning the use of cryptocurrencies for money laundering. In June the Financial Action Task Force (FATF) told countries to tighten oversight of cryptocurrency exchanges amid growing concern among international law enforcement agencies that cryptocurrencies are being used to launder the proceeds of crime. Countries will now be required to register and supervise cryptocurrency-related firms such as exchanges and custodians, which will
have to carry out detailed checks on customers and report suspicious transactions. Many governments are already acting on this; for example, on 5 August the Thai government announced that it would bring cryptocurrencies under existing financial regulations, monitored by its
anti-money laundering office, AMLO. In a statement to the Thai press, Police Major General Preecha, secretary-general of the Anti-Money Laundering Office (Amlo), neatly summarized the
current lack of visibility over the issue, saying, “We may not find any clue, but that doesn’t mean the wrongdoing does not occur.” Elsewhere, there have been successes. Earlier this year, Europol broke up a Spanish drugs cartel that laundered cash using two crypto ATMs, machines that issue cryptocurrencies for cash. The concern is that cryptocurrencies can be used to transfer money across borders, break down large criminal money transfers into smaller amounts that are harder to detect, and to make payments on the dark web. And while some of this money laundering activity is still conducted using well-known cryptocurrencies, notably bitcoin, criminals are increasingly switching to more anonymized
cryptocurrencies. Yet, while cryptocurrencies are further complicating the AML landscape, it has been argued that the very technology supporting them – blockchain – may contribute massively to reducing the costs and
the challenge of know your customer and anti-money laundering (KYC/AML) through what has already been dubbed the KYC blockchain.

The cost of KYC

As is well known, Know Your Customer (KYC) is hideously expensive for banks. The cost of conducting KYC due diligence investigations of a company or individual can run into tens of thousands. KYC processes provide the backbone of financial institutions’ efforts to combat the financing of terrorism and to detect and prevent criminal behaviours around the world, such as trade-based money laundering (TBML). According to recent estimates, in excess of US$25 billion is spent each year on financial crime risk management in the banking sector, the majority of which is due to KYC. The reason for the high cost is simple: KYC at many financial institutions is extremely inefficient, involving labour-intensive manual processes, duplication of effort and a high risk of error. Up to 80
percent of the effort associated with KYC is dedicated to information gathering and processing, and only 20 percent to assessing and monitoring that information for critical insights. It can take weeks or even months to identify a beneficial owner by locating and validating the relevant physical and computer records. Moreover, the work is typically done many times over, even for the same customer. Each Line of Business (LoB) within a bank performs its own customer checks. The legal entity – be it an individual or an organization – typically provides KYC documents each time it requires services from different LoBs within the same institution. It is difficult or impossible for LoBs to share the information in a secure and easy manner while protecting confidentiality and privacy. Poor customer experience and high operational costs for the bank are not a good business model in a competitive environment. In other articles we have considered how machine learning – a subset of artificial intelligence – may help to address this challenge, but a key problem remains, which is that the trail of transactional records that is required to identify money laundering is typically spread across multiple LoBs, financial institutions and legal jurisdictions. And this is precisely where blockchain, the underlying technology for bitcoin and other cryptocurrencies, could reduce inefficiencies and duplication of effort in KYC information gathering
between legal entities within a large financial institution or even between competing banks.

The Singapore trial

But how realistic is such an approach? A prototype tested in Singapore in 2017 involving OCBC Bank, HSBC, Mitsubishi UFJ Financial Group (MUFG) and the Infocomm Media Development Authority (IMDA) was the first KYC blockchain in South-east Asia and the most public trial to date. It was
claimed that the prototype could solve the current practice of collecting and verifying personal information from customers repeatedly, reducing the costs by 25-50%, according to KPMG. Like cryptocurrencies, a KYC blockchain prototype operates on a distributed ledger technology and
enables structured information to be recorded, accessed and shared across a distributed network using advanced cryptography. With the customer’s consent, LoBs can share information accurately and efficiently with a clear audit trail generated on the blockchain. With a KYC blockchain LoBs can securely search customer information, generate requests for KYC
documents from other LoBs that have already verified customers, store validated customer documents and re-use them where required. The infrastructure can also be used for sharing customer profiles and alerts, which can trigger mitigation procedures when required in response to
alerts. The Singapore prototype reportedly remained stable even with a high volume of information, was resistant to tampering and maintained data confidentiality. Some fintech companies have now built their own blockchain technology-based distributed ledger systems.

Self-sovereign identity systems

A further development of blockchain-based technology that may reduce KYC costs is “self-sovereign identity” (SSI) systems. Through the use of distributed ledger technology, SSI enables individuals to retain control over their data while at the same time being verifiable for banks and other relying parties through the public recording of verified claims. SSI could be the next step in identity management, combining traditional means of identification with new technology-based systems (such as asymmetric key, one-time password, biometrics) in a distributed system. Its relevance to KYC is that it adds a layer of security and flexibility allowing the identity holder to reveal only the necessary data for any given transaction or interaction. Under existing practice, a bank has to access highly centralized pools of data time and again in order to verify identity. This has a high degree of dependence on data sources that are vulnerable to hacking. Data vulnerability is potentially damaging to both the bank and the bank’s customers, whose identity may be stolen and either used to carry out fraudulent transactions or to provide that identity to another person, who
can then use it for (among other things) for the purpose of money laundering. SSI could reduce the bank’s dependence on a centralized data pool and processes that were not designed for a decentralized, distributed and instantly connected world. An identity blockchain in which a bank has node status would provide a solution that resolves the conflicting demands of financial security and personal privacy. Such solutions for managing self-
sovereign digital identities are already in a fairly advanced stage of development.

How much of this is hype?

While there are similarities between the technology behind bitcoin and the proposed systems to assist with anti-money laundering, we should be careful that we are not blinded by the hype. As
Investopaedia recently reported:
Compare that open, permissionless blockchain to the “private” or “permissioned” blockchains that established tech and financial services players, along with a gaggle of start-ups, are developing on their own or through consortia. Rather than a trustless network of thousands of strangers, they propose to build small networks of known, vetted actors – or in some cases, to keep the blockchain to themselves. The result makes compliance with [AML and KYC] laws easier … but at some point, these purported blockchains have little to do with the innovation that underpins bitcoin. The truth is that technological change tends to be incremental and evolutionary, building on earlier advances. In the case of blockchain, this “revolutionary” technology is based on the successful combination of several pre-existing technological approaches: primarily, decentralized networks, cryptography, and consensus models. Blockchain makes it possible to exchange values in a decentralized system. Cryptocurrencies and the proposed KYC blockchains have this in common, but the commonality ends there. The blockchain hype cycle has peaked and is now in what Gartner terms the “trough of disillusionment”. This is inevitable. No new technology has ever solved more than a small fraction of the problems faced by humankind (well, not since the wheel). Blockchain (we will increasingly see the terms distributed ledger systems or hyperledgers) will bring benefits in many areas of human endeavour, including AML and KYC, but it will be no “silver bullet”. Doubts remain about its scalability, and the competitive nature of the market, concerns about confidentiality etc. will set limits on its application. That said, there is no question that these technological developments are highly positive. The bottom line? A realistic assessment is that KYC blockchains and SSI-supported onboarding will
not fundamentally transform due diligence processes but, especially if combined with other technologies, they could reduce the cost of KYC by something in the range 20%-30%. That will have a significant impact on banks’ ability to combat common forms of money laundering.

Any major financial institution would jump at that!

Join us @ LinkedIn https://www.linkedin.com/groups/8196279/ to stay up- to-date on financial crime topics affecting your industry.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close