Financial crime is a fast-growing problem for Asia‑Pacific financial services firms. Working with outmoded systems and patched-up processes to detect, monitor and eliminate potential threats, banks are spending millions on sophisticated new solutions to combat money laundering
- Richard Carrick, Regional head of financial crime assurance, Barclays
- Damian Matich, Global head of fraud analytics , NICE Actimize
- Choon Boon Tok, Vice-president, Asia‑Pacific Lead for financial crime analytics and intelligence, Deutsche Bank
- Moderator: Philip Harding, Contributing editor, Risk.net
Globalised money markets have been labelled an open invitation to financial criminals. Asia‑Pacific’s financial markets are the fastest growing worldwide, and as such represent the biggest front in the global struggle against fraudsters, market abusers and money launderers.
Eighty per cent of respondents to a Risk.net survey on current practices agreed that financial crime is one of the fastest-growing risks to their business. Risk.net hosted a webinar in association with NICE Actimize to assess the complex challenge of financial crime investigation, and find out how firms can drive efficiency gains and where new analytics applications offer greatest benefits.
Asian banks face pressure from governments, regulators and supervisors to face up to the challenge. The market is duly responding with new technological applications in financial crime analytics, particularly in the realm of robotic process automation (RPA) and artificial intelligence (AI), which have the potential to be revolutionary.
Money laundering is, by its nature, complex and global in its efforts to circumvent barriers and avoid detection. The risk requires a co-ordinated global response from banks, underlined Richard Carrick, regional head of financial crime assurance at Barclays, based in Singapore.
“I don’t think there’s a particular region or country that can sit in isolation from the rest. You’re going to see a lot of the payments making their way around the world, and Asia is going to have its fair share of those,” Carrick said.
“One bank will only ever have limited visibility of part of it. That’s a big challenge for transaction monitoring and sanction-screening systems – particularly if you’re putting in quite binary red flags just to meet regulatory requirements,” he said.
If globalisation plays to criminals’ advantage, so do political developments. A high proportion of fines meted out to banks are for sanction violations. Carrick highlighted sanctions regimes put in place by governments as a “rapidly changing element” within the political landscape, with new and secondary sanctions adding further pressure on banks to keep up to date with authorities’ latest rule-makings.
Technology, too, is constantly evolving, and some of its newer aspects are revolutionary in nature. While that can aid banks’ anti-money laundering (AML) efforts, criminals are usually a step ahead. Cryptocurrency, for example, has arisen within the past decade as an online rival to traditional foreign exchange markets, without regard for political boundaries, to play a greater part in the global payments landscape.
“Japanese police have reported a tenfold increase in money-laundering cases linked to cryptocurrency in 2018. Advancement in technology has allowed the criminals to make such transactions quickly and anonymously,” said Choon Boon Tok, vice‑president, Asia-Pacific lead for financial crime analytics and intelligence at Deutsche Bank, based in Singapore.
Regulators have woken up to the money-laundering risk posed by cryptocurrency transactions. Old regulatory regimes are being updated or overhauled. Carrick pointed to the European Union’s Payment Services Directive 2 (PSD2) as a regulatory lodestar.
“PSD2 would cover some of the cryptocurrency exchanges and provides the necessary legislation to define how cryptocurrency could be treated, such as a currency or a security,” Carrick said.
With criminals using cryptocurrency as cover for their dirty laundry and the regulatory picture for policing it still emerging, banks have, for the most part, yet to grapple in a meaningful way with cryptocurrency.
“Perhaps the major saving grace of this emergence of cryptocurrency money-laundering cases is that these cryptocurrency exchange operators have not yet been brought on board by the major financial institutions,” Tok added.
The industry will need to combine its AML efforts to counter such threats. There was a warning that the criminals may be more adept at collaborating than the bankers. The so-called dark web recesses of cyberspace, where criminals regularly buy and sell stolen data, as well as communicate opportunities, can help co-ordinate attacks.
“The criminal syndicates are highly organised. They work in networks. Despite the fact that they may be in opposition to each other, they can actually work very closely together,” said Damian Matich, global fraud analytics manager at NICE Actimize.
“We’ve witnessed a situation when a bank’s anti-fraud system has gone down and the fraudsters have piled in through that breach in security and stopped fraud at all other banks. It was just one example of the collusive nature of how the criminals work across the dark web, by swapping information to target areas of weakness in the banking system,” Matich said.
Several banks in Europe have fallen foul of regulatory fines for AML compliance failures. In March 2018, Standard Chartered was fined $4 million by the Monetary Authority of Singapore (MAS), perceived as one of the best globally, putting out demanding standards with an eye for detail.
Danske Bank was hit last year by a Russian money-laundering scandal at its Estonian branch, causing its chief executive to resign amid investigations by regulators in several countries. Tok said the case had resulted in regulators asking more questions.
“If we go back to this Danske problem, the money-laundering issue lies with the correspondent banking clients. These transactions pass through many financial institutions, but they have no idea of the identity of the originator or the ultimate beneficiary. This leads to getting blindsided,” Tok said.
“In the past six months, regulators have been asking questions of teams focused on correspondent banks, asking how we monitor them and how we vet them to ensure that they are legitimate clients not the bad guys. This is getting challenging from a data perspective as well as processing controls,” he added.
Regulators have also expanded the scope of their gaze, particularly to clamp down on tax evasion. Carrick noted UK rules that are impacting his bank’s Asian operations.
“The Criminal Finances Act has made it a criminal offence for a bank to provide tax evasion advice to a customer. That’s always been a problem, but it means the onus of responsibility has now shifted towards the bank,” he said.
“Like any regulatory initiative that comes out, it has the effect of making the bank sharpen up, so that you might put a special project team together to make sure that you have upgraded your policies, procedures and controls to be fit for purpose.”
Could do better
Compliance has too often been a case of putting systems and controls in place to meet minimum standards, Carrick explained. Policies and procedures – nominally to combat financial crime – have been aimed more towards meeting regulators’ expectations. This means when the supervisors inspect defences, the bank gets a good report. However, when a breach occurs, the regulator will usually still punish the institution, Carrick warned.
“That’s the point at which banks have become complacent, because meeting that minimum requirement has by no means protected the banks from fines,” he said. “The fines keep coming, usually when criminals are caught on somebody’s book. The whole financial trail then unravels and you start to see banks getting hit with fines, even though the bank has done what they think is the regulatory requirement.”
What has been broken about the banks’ approach is too little focus on understanding how criminals operate, to engineer solutions aimed at catching them.
“If you walk into a compliance department of any bank and ask: ‘Who knows the best way to launder $1 billion?’ you’d get a lot of blank stares back at you,” he said.
For example, few bankers would understand that it is often organised crime informing on itself that gets regulatory proceedings under way, Carrick suggested.
“These criminal networks often get caught by whistleblowing from other criminal networks ratting them out. They use law enforcement to get rid of these guys instead of resorting to illegal ways of getting to them,” he said.
More training to keep up to date with trends in criminal activities, and testing these against a bank’s existing defences would help, Carrick suggested. All too often money launderers get away with it, but when they are caught, they are frequently shown to be using new methods, which is vital intelligence to be promulgated to AML professionals while it is still relevant, he emphasised.
“There’s insufficient emphasis placed by banks on understanding how money laundering works. Banks should put in place continual educational programmes so that staff are always up to date with the latest money-laundering techniques, and so that they can then stress-test the bank’s controls to see whether they can be circumvented,” he added.
Matich agreed that banks need to move towards a more proactive strategy, although the regulatory barrage means much of their AML effort remains reactive to the latest moves by various regulatory authorities.
“The increasing regulation drives the financial institutions,” he said. “They have tended to be reactive, but we are starting to see them trying to get ahead of the curve, to address these issues in a more proactive fashion and work more in collaboration with the regulators. That’s been underlined in a recent consultant report as an important factor: that there needed to be greater collaboration between the public and private partnerships, the regulators and the industry.”
There is broad consensus that banks need to do better. A woeful 23% of respondents to Risk.net’s survey described themselves as confident in their company’s AML systems and processes.
Investing in people, recruitment and building up a talented staff is one area in which to improve, continuing Carrick’s comments about a lack of awareness and education. Half of survey respondents chose building up skills as bringing the biggest improvement to their AML efforts. Traditional approaches have been very people-intensive.
“Traditionally, you’d have an army of people chasing false positives,” Carrick said. “Now, it’s not so much of a numbers game. Now, the difficulty lies in getting a new breed of financial crime professionals combining several skill sets: somebody who actually understands enough of the technology side, somebody who understands basic data analytics and somebody with the business skills as well.”
Matich pointed to a problem in data quality at big banks and the need to clean it up to provide useful analytics. Know-your-customer (KYC) processes have also grown more complex in line with stricter regulatory demands, for example to identify the beneficial owner in any transaction.
False positives and their alarming frequency using current monitoring systems is a recurring cause of AML frustration. “Long major alert-generation queues then form, turning into cases, which take a lot of investigation time, as well as quite skilled resources to do that investigation, plus the filing of suspicious activity reports (SARs) to the regulators,” said Matich.
Digitising paper-based trades for monitoring is cumbersome, Matich suggested. “It’s dogged by data issues. Trade-based money laundering is mostly paper-based, so you require specific and advanced technology to digitise that data. So there’s a whole series of issues that plague current banking systems and financial crime systems. From what we’re seeing in the market, most banks have significant problems in these areas,” he added.
When banks investigate a payment for fraud, alerts are raised rapidly and the processes are quick, focusing on striking a balance between customer experience, financial loss and operational cost.
For AML, the processes are more complex for a range of transaction types. The correspondent banking issues raised by Tok, for example, are dogged by a lack of data about the third party through the other institutions involved in the chain.
“Data is a key driver,” said Matich. “If you can bring that data together through tools such as entity resolution, it’s great – but that’s very advanced technology. Poor-quality data and the broad nature of the detection challenge will typically generate lots of alerts, making cases, which require investigation. And you can’t pass information between counterparties if an SAR is being prepared, because that would be a tip-off,” he said.
Even if a bank has passable data to work with, issues will arise, such as how to segment the customer population or how to develop systems of rules, Matich noted. Large compliance departments on limited budgets are reduced to reactivity, to the volume of investigations work generated and the demands of regulators, such as creating the many SARs. All of this is leading banks to conclude that AI could be the answer to their problems.
“Machine learning is being viewed as the nirvana to reduce false positives, but you will still have a complex case investigation process, which through robotics you’re hoping to optimise,” said Matich.
Tok outlined four areas to improve. The data problems facing many banks are the first of these: a lack of granular data, wrongly classified data and, for some firms, failing to capture data at all. “These issues are hindering the investigation process and the deployment of advanced AML scenarios in the monitoring systems,” he said.
The second is an inefficient workflow, typically built within silos, such as separate systems for KYC, customer due diligence and for onboarding documents. “Once the alert is flagged, the investigator has to go through these different systems to capture the required data and piece them together before they can start their investigation, which takes time and effort,” Tok continued.
Next on Tok’s list is inefficient allocation of resources, starting with first-level investigators, for whom many alerts can be closed with one look as false positives. Then, at the second level, a regional team decides if it is investigation-worthy, followed by a third-level country team, ultimately responsible for filing SARs. “You’ve got a lot of resources allocated at each level, with so many people working on these alerts at each step test to investigate the alert,” Tok said.
His last point goes back to data granularity, and the low-value, high-volume manual tasks that go into compiling different data from different sources before they can be investigated. “If we can get a better dataset and more granular data, we can take the step forward to get the false positives down. Currently, in most scenarios, we see less than 10% true positives,” he added.
Four in 10 survey respondents highlighted machine learning and AI-assisted processes as the biggest driver for efficiency gains. This is in line with the many banks piloting such advanced analytics tools.
Better use of data analytics can be a good place to start for firms looking for low-hanging fruit in efficiency benefits, according to Carrick.
“Many banks are starting to realise that you need to start enabling smarter decisions by using analytics, primarily to cut down on the huge amount of time spent on investigations,” he said.
He suggested augmented intelligence rather than AI. Banks beginning this journey will be reluctant to jump in at the deep end, he suggested, particularly while simultaneously trying to upskill their work forces with greater technology expertise.
Much of the initial work can be about cleaning and de-siloing data, with gradual introduction of more RPA, the panellists suggested. This can help humans focus on the knowledge work, while robots perform the more labour-intensive tasks, such as data acquisition across silos.
Matich highlighted the value of smarter decisions through entity-driven investigations and visual analytics: “Entity-driven investigations and bringing robotics on to reduce manual effort are really the key points of interest that we’re seeing,” he said.
This is enabling teams to look at the network risk rather than individual entity risk. “That is a hugely powerful tool,” said Matich. “You’re taking a central risk element – either a person, a company or a transaction that is under investigation – and you’re able to see in a network diagram the other risk elements that are linked to that particular entity.”
Barriers to introducing AI into AML tend to be around fear of the costs and of regulators’ attitudes. However, authorities are showing enthusiasm for innovation, and helping banks introduce new technology.
“There’s a great deal of support in Asia, particularly in Singapore and Hong Kong,” said Carrick. “The Hong Kong Monetary Authority, for example, has come up with sandboxes where you can test some of your applications in a safe place.”
Regulators are also coming up with guidance. “In Singapore, the MAS recently published a paper on AI and data analytics, to which I contributed. A lot of this effort is an attempt to let the industry know that this is not something to be afraid of,” Carrick said.
The cost of technology is another perceived barrier. Although significant, it has to be set against the costs of huge workforces engaged in manual processes that could be made more efficient, panellists emphasised.
“There’s an army of people working on AML alerts globally. Robotics and improved analytics are going to change that whole paradigm,” said Matich.
The pattern of hiring will also need to change, he suggested. “Data scientists who understand granular data and the business side are a scarce and high-cost resource. That means significant efficiencies going forward,” he added.
Tok warned that banks’ hiring of human resources in recent years to throw at the AML problem is simply unsustainable. Technology will have to be a large part of the solution, he emphasised. “The tipping point will occur where the cost greatly outruns the benefit. We cannot be adding head count, year after year,” Tok said.
He concluded: “In future, banks will have to be smarter in applying more predictive modelling to predict the behaviour of criminals, more analytics-driven scenarios and more sophisticated parameters for detection scenarios. Not forgetting the robots, which will increasingly take care of the mundane and manual tasks that account for so much of the current inefficiency. All these factors will help lower the costs, which are simply unsustainable at present.”
The panellists were speaking in a personal capacity. The views expressed by the panel do not necessarily reflect or represent the views of their respective institutions.