Sponsored by ?

This article was paid for by a contributing third party.More Information.

Managing AML and fraud – A risky business needs a risk-based approach

Managing AML and fraud –  A risky business needs a risk-based approach

Financial services organisations (FSOs) are expected to meet strict financial crime regulations regardless of their size, and those with smaller budgets and fewer resources are finding this increasingly difficult as regulations, guidelines and threats continue to evolve. Regulators are also expecting FSOs to use the risk-based approach to target their anti-money laundering compliance resources. Risk.net hosted a webinar in association with NICE Actimize on the benefits of a risk-based approach to combat money laundering and other forms of financial fraud

Financial services organisations (FSOs) are expected to meet strict financial crime regulations regardless of their size, and those with smaller budgets and fewer resources are finding this increasingly difficult as regulations, guidelines and threats continue to evolve. Regulators are also expecting FSOs to use the risk-based approach to target their anti-money laundering compliance resources. Risk.net hosted a webinar in association with NICE Actimize on the benefits of a risk-based approach to combat money laundering and other forms of financial fraud

Adam McLaughlin, NICE Actimize
Adam McLaughlin, NICE Actimize

There is growing consensus among regulators globally that financial institutions should by now have embraced a risk-based approach to their efforts to counter fraud and money laundering in the global financial system.

This does not mean there is consensus among banks about their methods. Rather than a simple one-size-fits-all prescription, a risk-based approach implies flexibility, with AML and anti-fraud functions tailored to an individual institution’s own situation.

“Whether you are big, small or medium-sized firm, every firm has to comply, but everyone’s risk is different,” said Adam McLaughlin, Europe, Middle East and Africa (Emea) head of financial crime solutions, NICE Actimize.

“Nobody is exempt from it, but everyone has to adapt the risk-based approach differently dependent on what their organisation does, the clients they have, the services they offer and the size of the organisation.”

The overall quality of AML continues to move in the right direction, McLaughlin emphasised, as compliance officers and money-laundering reporting officers (MLROs) across different entities have been given a common destination, but encouraged to steer their own chosen course for how to arrive there.

“To my mind there have been two types of compliance officers,” McLaughlin said. “There are those who ask, ‘Have I done enough to be compliant?’, and those who ask, ‘Have I done enough to stop financial crime?’ These are two very different things.”

The first represents the tick-box approach of the old school, now out of fashion. “The latter is more to say: ‘I appreciate the social impact of financial crime, I understand the damage it can do, and I will do whatever I can to stop it, even when that means going beyond the letter of what the regulator says.’,” added McLaughlin.

Signs of change

Before the MLRO community can congratulate itself too much, however, he noted there is still a long way to go, with too many firms still just meeting the minimum standard and few trying harder.

AML is still only catching a drop in the ocean of global illicit finance, McLaughlin noted. Figures from the National Economic Crime Centre estimated at least £100 billion is laundered through the UK each year, of which only about 0.2% is successfully recovered.

In recent years there have also been high-profile blow-ups at some large international banks, caught napping and allowing dirty money to be laundered. In such cases, regulators have levied fines to punish institutions, making clear that allowing firms the latitude of a risk-based approach rather than prescriptive rules should not translate into a lax regime.

Banks that have been stung have belatedly moved to put new systems in place, as well as introducing stronger governance and new talent to their ranks.

A recent example of firms going beyond the tick-box approach, McLaughlin suggested, is by beginning to introduce real-time AML transaction monitoring. Estonia is so far the only European country where the regulator has mandated this, he noted.

“This is indicative of a shift, I believe, in how organisations are approaching financial crime and trying to recover illicit wealth, rather than just ticking the boxes,” McLaughlin said.

“If you can stop the payment and file a suspicious activity report (SAR) in real time, you’ve got a chance of stopping that wealth from moving across the system and from going to the criminals – at which point it will never be recovered.”

Reputational risk

It has been the household names of international banking that have fallen foul of regulators in recent years, but in the same timeframe there has also been an influx of smaller and non-traditional financial firms competing in the market. These smaller brands must navigate their own risk-based approaches to AML.

One advantage start-ups have over their older rivals is that they are relatively unencumbered by the layers of legacy systems that can hold back large banks from updating their technology.

“We started from scratch a few years ago, and as we’ve built up the business, we’ve also been able to build our controls on a risk-based approach,” said Rebecca Marriott, vice-president of risk and compliance at Tide, a UK-based financial technology firm. “As a smaller firm you have finite resources, but that is why a risk-based approach is so important to us – to better understand our risks, rather than just comply for compliance’s sake.”

Regulators are now paying increased attention to smaller entities, old and new, McLaughlin suggested, so that the savvy ones are looking to invest in financial crime technology.

“We know some of them have the right technology and people in place, and are quite robust in their approaches,” he said. “However, other firms have probably been a bit more lax, because it hasn’t been at the forefront of their minds. Some of these firms are now looking to technology solutions to bolster their compliance programmes because they are worried about getting fined.”

For Marriott, a risk-based approach to AML has a moral dimension that goes beyond compliance fears, she emphasised, adding that reputational risk is even more important for smaller firms reliant on attracting new customers and investors.

“I am so passionate that we are fighting financial crime for moral reasons as well as compliance and regulatory reasons,” she said. “We don’t want criminals on our books and we don’t want to be a conduit for money laundering or any type of financial crime. This is about going ‘above and beyond’ to make sure we build the right culture from the beginning.”

Really knowing your customer 

Knowing the customer is an important aspect to a risk-based approach to AML. An audience poll during the webinar asked: ‘Do you believe your organisation has a strong risk-based approach to know-your-customer (KYC) and AML?’ Worryingly, almost 30% of respondents said no.

Marriott said: “I wonder, if we were to dig deeper, how much of that comes down to doubting there is a risk-based approach in place or how much of it relates to a lack of communication within an organisation about what that risk-based approach is.”

Any KYC approach will almost inevitably differ between each company’s own mix of clients and products. Each company’s mix of clients and products leads to different KYC approaches. So a static checklist is not a helpful approach to AML even within the walls of a single organisation, pointed out Gerard Green, Emea head of AML at Invesco.

“The client’s experience is important to consider when implementing a risk-based approach,” he said. “You cannot just go through a set of 10 risk factors and come out with a positive client experience if the due-diligence questions you ask don’t actually apply to that individual client. Nor will it provide an accurate risk assessment. You need to implement your checklist within your teams as a starting point to set out the parameters. However, you need to upskill your teams and keep them trained so they understand, and apply the appropriate factors to maintain a true risk assessment according to the KYC requirements and profile in each situation.”

The advantages of a more joined-up approach between counter-fraud and AML teams is also something many financial firms are exploring. “I’ve worked at a global bank where they were separated, and you can feel like your left hand doesn’t know what your right hand is doing,” said Marriott.

“At Tide, we deliberately have them combined, and we have done that from the beginning. We need our analysts to be able to react to typologies or trends, and we want them to be aware of financial crime as a whole,” she added.

Many larger firms, despite their comparatively great resources, do not have such a holistic approach to financial crime, creating challenges for teams and potential risks if activity falls between the cracks amid the silos.

“Whether or not you have separate or combined anti-fraud and AML teams, you can share that data holistically and see the data as one,” said McLaughlin. “Incidents and alerts might be closed as not suspicious, but if you can start cross-pollinating data, two seemingly separate incidents can suddenly become linked and suspicious, leading to an SAR.”

For a smaller firms, there are also efficiency advantages, such as using the same system for transaction monitoring for fraud as well as AML, Marriott noted. On the other hand, linkage between the two functions can also make the most out of the talent being recruited, Green suggested, including people with experience or expertise relevant to both.

“Certainly, in my industry, they need to be combined because otherwise you won’t necessarily be able to detect the red flags,” said Green. “Any team needs varied skills among its members. There can be project managers for X and operations for Y, but we also have people who have left the police force to join the asset management industry, and an AML team benefits from this diversity.”

He gave an example of a third party attempting fraud on a client account. “You need to know all the particulars of your client, and that comes from the AML due diligence you’ve performed such as address, bank details, typical activity on the account, and so on, to identify that something doesn’t seem right,” Green added.

Technology is perhaps the most important tool to unite teams, most notably amid the remote working conditions during the 2020 Covid-19 lockdown. Green emphasised its role in linking the front office, sales teams, back office, operations and AML, so that, for example, all functions can enter client details into a single system accessible to everyone.

“The client detail can then flow automatically through a digital workflow system to the AML team, who can pick it up and quickly respond with what they need, to bring that new business and client on board,” said Green.

Too much of this kind of work is still conducted via email, he suggested, representing an inefficient approach using decades-old technology.

“It is a necessity to utilise the technology that is available today to bring teams together. Email is still important, but it is overrated. Replacing it with newer digital technology can create a lot of operational efficiency within the organisation,” he added.

Collective intelligence

It’s fair to say that, usually for competitive reasons, banks do not do a great job of sharing risk information with each other. In one positive example, McLaughlin pointed to the Netherlands, where five large banks are beginning to increase their data sharing through a joint transaction monitoring consortium.

“I think this is the next big thing that is going to happen in our industry. For too long we have been handicapped in fighting financial crime because we don’t share data,” he said.

“The Dutch authorities are so serious about this that they are looking to change their data privacy laws to make it easier. They want a single transaction monitoring solution between all five banks feeding their data into a single solution, which then allows them to see if the same criminals are using those five banks but providing different names, for example, to try to evade detection.”

That means law enforcement agencies and other financial institutions – as well as internally within the largest organisations – need to know that data, he noted, to add to the holistic view to which organisations are increasingly striving. The alternative is to provide blindspots for financial criminals to exploit.

“We have created this problem for ourselves, to the point where some large international banks don’t even talk to each other enough across their subsidiaries, and that is within the same group,” McLaughlin added.

In the UK, a step in the right direction was the formation in 2015 of the Joint Money Laundering Intelligence Taskforce (JMLIT), an intelligence-sharing project developed by the government and police, the British Bankers’ Association and financial institutions. From its initial trial, the model has gone on to inspire similar initiatives elsewhere in Europe, the US, Hong Kong and Australia. 

“That was a real first as a public-private partnership to combat financial crime,” he said. “However, we still have this bank-to-bank information gap, and different jurisdictions also don’t talk to each other. There are gateways in the European Union’s Money Laundering Directive – if there is a common transaction flow you can share information, but it is not generally used.”

Managing big data

Much of the new technology being introduced to boost AML capabilities is offered via cloud computing services. As a fintech, Tide is among those advocating a cloud approach.

“All of our systems are in the cloud,” said Marriott. “It has made moving everybody to remote working much more straightforward during the Covid-19 lockdown, for example. Also, as we add technology and systems to our platform and our controls, they are all cloud-based and fit together nicely.”

She also emphasised the data benefits of cloud, which puts less strain on using big data analytics than keeping data in-house. “We are a data-driven organisation. We are proponents of using our data to understand our customers’ activity, and to look for anomalies and changes in behaviour. That is where cloud technology comes in so handy.”

With so many cloud products and software-as-a-service options on the market, she emphasised the importance of quality control when choosing vendors, particularly for data protection regulation and sanctions regimes.

“How do you know that the technology does what it says it does? For your sanctions or politically exposed persons screening, how do you know it is switched on and it is screening? We have a big emphasis on that in our second line of defence at Tide, given we have so much cloud technology in what we do.”

Cloud helps store large volumes of data, but it is artificial intelligence that is helping crunch the numbers. Manual analysis simply can’t keep up with the exponential growth of big data, or spot patterns and anomalies quickly enough.

“Our customer queries, our investigations, our transaction monitoring – everything has multiplied, and operational efficiency becomes even more important,” said Marriott. “We’ve only a certain amount of people and systems, so how do we use our resources most efficiently? It might be fine-tuning transaction monitoring or moving KYC analysts to high-risk cases, for example, to manage that risk-based approach.”

A new normal

“The criminals never sleep,” McLaughlin warned. “Crime moves on, criminals move on, typologies move on. They are always looking for new opportunities, they are always looking at new ways of working and new ways to make money. Covid-19 provides a classic example of a changed threat landscape. The new normal has shifted.”

This is because coronavirus has turned usual patterns of customer behaviour upside down, including patterns of suspicious activity. Customers who preferred cash are now using their cards, in person and online, and businesses used for laundering dirty money are now shut down. Fraudsters are conning people with fake testing kits and false track-and-trace messages. Banks are being encouraged to quick offer loans to struggling businesses, as well as under pressure to keep accounts functioning as normal while customers face disruption to their day-to-day lives.

Covid-19 has also upended the way teams work, removing inefficient manual processes and accelerating trends of relying on technology for remote working. “We are fortunate that everything we do is online and via the cloud when we had to suddenly move to remote working, so we were still able to offer all of our products and services to our customers,” Marriott said.

With so many sudden shifts in behaviour – by law-abiding customers as well as the criminals in their midst – Covid-19 represents a huge challenge to any risk-based approach. However, it is also plays to the flexibility supposed to be an advantage of such approaches.

“The risk-based approach should always be evolving,” said Marriott. “Covid-19 provides the perfect example of this. Our risks are clearly changing, from an AML and financial crime perspective, and across the business. Now, more than ever, we need to constantly adapt what we’re doing, re-evaluating our risks, reviewing our risk assessments and reforming a risk-based approach.”

Listen to the full webinar, Managing AML and fraud – A risky business requires a risk-based approach

The panellists were speaking in a personal capacity. The views expressed by the panel do not necessarily reflect or represent the views of their respective institutions.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here