Almost immediately, the person controlling the bank account begins to disperse these funds in a flurry of payments to the Czech Republic, Hungary, Croatia and Hong Kong.
Suspicious as these transactions were, NatWest did not freeze the account when the Saudi money arrived. It allowed the outward payments to take place, despite the fact they triggered fraud alerts. NatWest temporarily froze the account, then unfroze it, and by the time the bank’s fraud team properly investigated and took decisive action, it was too late. The account had effectively been emptied, and the funds were long gone.
The $5 million was stolen from my client, an Italian engineering multinational called Maire Tecnimont. In a corporate version of push-payment fraud, somebody impersonated a senior manager at the company’s Saudi subsidiary and duped the payment to be sent out to NatWest in Brixton. From there, the money was funnelled to Eastern Europe and Asia and remains missing, effectively untraceable.
All of that took place in 2018, and Maire Tecnimont is currently suing NatWest in the English High Court over the incident. The bank argues it is not responsible, not least since, traditionally, the legal position has been that banks are not held to have a “duty of care” to third-party fraud victims who are not their account holders.
A court will decide where liability lies, and it is not my intention to prejudge the outcome here. What I would strongly suggest, though, is that the bank’s procedures in this episode were not sufficient to prevent a large-scale fraud, nor to prevent the successful laundering of large sums via the UK banking system.
It is beyond doubt that push-payment fraud on businesses represents a very considerable economic, and crime-fighting, problem. Confidence tricks on individual account-holders tend to get more attention in the press. But similar scams perpetrated on businesses - commonly referred to as “CEO Frauds”, since they involve a scammer impersonating a high-ranking official of the victim organisation - cost billions of dollars a year, according to statistics from the Federal Bureau of Investigation.
The FBI has identified Britain as a major through-station for fraudulent transfers. And unlike individual bank customers, businesses who fall victim to push-payment scams in the UK have scant entitlement to compensation.
Having acted on multiple matters involving CEO fraud, I believe the banking industry has to take this problem more seriously. On behalf of clients, I have made a submission to that effect to the House of Commons Treasury Select Committee, which is currently investigating Economic Crime.
Technology is part of the problem. Often, banks’ anti-money laundering (AML) monitoring depends on decades-old tech and does not include speedy fraud detection. Banks keep their AML and fraud detection procedures bifurcated, meaning they cannot cross-reference the account history against live transactions in real-time. It can take banks a month to review some suspicious transactions, by which time laundered funds have long since been dissipated.
But as any FinTech entrepreneur will tell you, the technology exists to ensure near to real-time monitoring of accounts. It is no longer acceptable for banks to refuse to implement this technology whilst allowing their account holders to launder money and facilitate criminal activities.
Often, banks’ anti-money laundering (AML) monitoring depends on decades-old tech and does not include speedy fraud detection.
At the heart of the problem is that the banks are currently not incentivised to invest in AML tech. Compensating fraud victims doesn’t cost them very much. Typically, a bank will indemnify its own customers in respect of sums lost via fraud through the bank’s own negligence, in line with various banking and customer obligations. But it does not offer similar protections to non-customers whose stolen money has been laundered through its systems – even when the criminal perpetrators are account-holders with the bank. It has little financial incentive, therefore, to monitor against fraudsters amongst its customers. And when the losses imposed on outsiders by those fraudster-customers run into the millions, the bank is even less willing to acknowledge liability.
The UK industry’s Voluntary Code is not fit for purpose. It offers protection to small-scale victims of push-payment fraud (individuals, “micro-enterprises” and small charities), but does not cover businesses with ten or more persons as employees, or balance sheets of more than €2 million.
As fraud becomes more sophisticated and pervasive, that position looks unsustainable. Some £3.2 trillion in company turnover in the UK is found in businesses of more than ten employees. All of these organisations are currently at risk of being defrauded without hope of compensation from the payments industry’s “no-blame fund”. Nor does the Voluntary Code cover international payments.
The result is that banks find themselves increasingly in reputational difficulties. In March - in an issue entirely unrelated to my clients – it was announced that NatWest would face prosecution from the Financial Conduct Authority, for allegedly failing to monitor and scrutinise transactions that turned out to be part of a large money-laundering scheme.
Fraudsters are evolving their methods and moving at pace with technology, whilst banks are falling behind, seemingly content just to trudge along. If the persistence of fraudsters continues to outstrip banks’ determination to combat them, it could fundamentally damage confidence in the UK’s all-important banking system.
This is not to say that banks – as opposed to, say, telecoms companies, whose systems might enable fraudsters to access a victim’s bank details – should have to shoulder all the financial responsibility for compensating the victims of push-payment fraud.
But in circumstances where a bank has been negligent in its implementation of AML controls and fraud prevention technology that is readily available, and the victim has suffered loss, the bank should be required to provide appropriate compensation – whether or not the victim is a customer of the bank, and whether or not the victim is a corporate entity. That, I suspect, would finally focus management attention and technology investment on fighting the fraudsters.
It may be a lot to ask, but it’s not unreasonable, or unfeasible. The GDPR has obliged large companies in many sectors to consider data protection in ways that few would have expected even ten years ago. Social media firms are under pressure to tackle misinformation and prejudicial language. These changes require money and computing power. But they are the changes that a big-data economy and society are demanding. Banks would be unwise to ignore those demands.
Non-stop regulation to tackle emerging money laundering threats
For senior executives within regulated industries, yet another article exploring the next round of regulation to tackle international money laundering is likely to have them scratching their heads or maybe raising their eyebrows.
But, whilst many firms are still bedding down new systems and processes to comply with the 5th EU Anti-Money Laundering Directive (5AMLD), additional rules to counter the growing global threat of money laundering were introduced by the European Parliament at the end of last year.
The 6th Anti-Money Laundering Directive (6AMLD) will be transposed into member states’ national laws by December 2020, and organisations within all member states will be required to implement the new regulations by 3rd June 2021.
Importantly, the regulations will cover all regulated entities across the EU, plus any UK organisations that are operating within the EU after Brexit, whatever the outcome of current political negotiations. Brexit does not represent a way around 6AMLD; any UK business wanting to operate within the EU need to comply with the new rules.
What’s more, there’s a definite likelihood that non-EU states around the world will replicate the content and spirit of 6AMLD within their own regulatory frameworks over the next few years. Much like we are seeing with the General Data Protection Regulation (GDPR), the EU’s recently implemented regulatory framework around data security and privacy, other economies wishing to trade with the EU are developing their own versions of these EU-mandated rules in order to reduce barriers to global trade and drive consistency.
The new regulation lists 22 predicate offences relating to money laundering, providing for clear and harmonised definitions of each specific crime.
So, whilst business leaders and risk and compliance directors across a range of sectors – from financial services to payments, online marketplaces and gaming – may be starting to feel as though they are caught in an AML compliance hamster-wheel, they must get to grips with 6AMLD now so that they can devise plans to ensure they are compliant come June 2021.
6AMLD – what you need to know
If 5AMLD was about expanding the scope of businesses’ obligations in countering money laundering, 6AMLD provides the detailed definition of these requirements. As is often the case, regulators cast the net wide in order to tackle emerging money laundering activities but are now clarifying and refining the rules in order to make them more effective and practical.
6AMLD is highly significant for a number of reasons, namely due to the fact it provides context around the newest forms of money laundering which are emerging within an increasingly digital-driven global economy. The new regulation lists 22 predicate offences relating to money laundering, providing for clear and harmonised definitions of each specific crime.
Importantly, the last of these offences is cyber-crime, which for the first time is included within AML regulation. This is significant because it enables organisations and regulators to root out money laundering crimes more easily and effectively across a wide range of online activities.
In addition to this, 6AMLD is noteworthy because it is very clear in its objective of pinpointing the individuals within an organisation who are responsible for money laundering crimes. The introduction of new offences such as ‘aiding and abetting’ and ‘attempting and inciting’ also extends criminal liability from those directly responsible for converting the proceeds of crime to accomplices in the laundering process. No longer can individuals hide behind a business entity; the regulation is designed to provide complete transparency around who owns and controls these entities.
6AMLD is noteworthy because it is very clear in its objective of pinpointing the individuals within an organisation who are responsible for money laundering crimes.
However, the real headline-grabber for 6AMLD is the introduction of far tougher punishments for money laundering crimes, with member states required to impose minimum prison sentences of five years, up from the previous minimum of one year.
Finally, the new regulation enshrines the requirement for member states to co-operate in the prosecution of money laundering crimes. For example, should two member states each have jurisdiction over the prosecution of an offence, they are required to collaborate and agree to prosecute in a single member state.
Flexibility the key to meeting 6AMLD requirements and driving future growth
While 6AMLD is very much consistent with the spirit of both 4AMLD and 5AMLD, it will require regulated organisations to review their AML monitoring processes and identify areas for improvement within their customer onboarding and operational models.
This will undoubtedly mean further adoption of regulatory technology (RegTech) to automate more of their onboarding processes and tap into a far more comprehensive pool of information on prospective customers, both individuals and businesses.
However, while 6AMLD is set to be the next big deadline, risk and compliance professionals across all relevant sectors should recognise that AML regulation won’t stop there; as new money laundering threats continue to evolve rapidly across the global economy, the pace and scale of new regulation in this area will inevitably accelerate exponentially.
Faced with this level of complexity and change, businesses need to take a broader view of compliance and operational best practices and adopt new processes and technologies in order to stay on the front foot.
So, rather than taking a reactive approach and focusing solely on being compliant with 6AMLD come June 2021, business leaders should focus on instilling a more agile and flexible approach to compliance and strive to establish a governance framework which operates at a higher level than the next, most immediate regulatory requirement, whether that be 6AMLD, 7AMLD or whatever comes next.
Many organisations are now realising that a ‘do the bare minimum’ approach to compliance is simply not sustainable in the digital economy. Instead they are coming to view compliance, and in particular the adoption of RegTech, as a revenue generator and key strategic differentiator. By ensuring they have the flexibility to adapt to changing regulatory requirements easily and quickly, banks can ensure they can be first to market with new products and services, whilst simultaneously minimising their risk.
Indeed, that is why so many businesses are positioning risk and compliance at the centre of their operational model. Whereas once the compliance department was viewed and treated as a back-office function, we see Heads of Risk and Heads of Compliance being elevated into strategic roles and playing a major part in shaping the future direction of the business.
So, as business leaders turn their attention to 6AMLD heading into 2020, they should not only ensure they have the processes, systems and technologies to fulfil their new obligations and minimise risk, but also look on their efforts to do so as an opportunity to achieve a higher level of governance, setting them apart from their competitors in the market. By ensuring they have the flexibility to adapt to an ever-more complex and dynamic regulatory environment, businesses can acquire the speed and agility needed to thrive in the future economy.
Money laundering is a pan-European problem, with 90% of the continent’s biggest banks having been sanctioned for money laundering offences, new research by anti-money laundering (AML) experts Fortytwo Data shows.
The firm found that at least 18 of the 20 biggest banks in Europe - including five UK institutions - have been fined for offences relating to money laundering within the last decade, many of them within the last few years - an indication of how widespread money laundering has become.
Recent crises at the likes of ING, Danske Bank and Deutsche Bank only reinforce this impression, demonstrating how no bank is immune to money laundering sanctions, no matter how large.
All 10 of the biggest banks in Europe are known to have fallen foul of the AML authorities - HSBC, Barclays and Lloyds from the UK, French quartet BNP Paribas, Crédit Agricole Group, Société Générale and Groupe BPCE, Germany’s Deutsche Bank, Santander of Spain and Dutch bank ING.
Others to have been fined in recent years are the British banks RBS and Standard Chartered, Italy’s Intesa Sanpaolo SpA, UBS Group and Credit Suisse of Switzerland, Spain’s Banco Bilbao, Dutch institution Rabobank, and Nordea Bank of Sweden.
All five major UK banks - HSBC, Barclays, Lloyds, RBS and Standard Chartered - have been fined for money laundering offences. Earlier this year, Donald Toon, director of prosperity at the National Crime Agency, admitted in a Treasury Meeting that money laundering in the UK is “a very big problem” and estimated that the amount of money laundered here each year has now risen to a staggering £150 billion.
Banks and financial services companies have faced an uphill struggle to move onto more advanced AML platforms as they often attract a price tag running into tens of millions of pounds, potentially hundreds of millions once the cost of integration, operation and maintenance have been factored in.
More advanced augmentation platforms have moved the conversation on in the last few years, creating opportunities for companies to improve the efficiency of their AML processes at vastly reduced cost, while still using data stored in legacy systems.
Julian Dixon, CEO of Fortytwo Data, comments: “It is clear Europe’s largest banks are collectively struggling having problems when it comes to anti-money laundering standards. The increasing sophistication of the money launderers makes this an ever more difficult task.
“Money should not be laundered on their watch. However, standards must be maintained. The fact that almost all of Europe’s 20 biggest banks are known to have failed to comply with AML regulations is a troubling finding.
“These days, there are effective solutions to be found. Technology has reached a level where it can vastly improve the efficiency of suspicious activity detection and all major banks have a responsibility to embrace 21st Century solutions to this problem, rather than continuing with outdated legacy systems.
“The UK has an opportunity now to lead the way and set a higher benchmark for others. That £150 billion is known to be laundered here every year is a problem that needs to be addressed and if we can clean up our act, others will be compelled to follow our example.”
(Source: Fortytwo Data)
Salvatore LaScala is a Managing Director at Navigant Consulting, where he is Co-Lead of the Global Investigation and Compliance and Anti-money Laundering (AML) Practices. Mr. LaScala has over 20 years experience conducing AML and Sanctions compliance programme reviews, Risk Assessments, Monitorships and Remediations and regularly assists his financial services clients with Navigating regulatory or law enforcement actions. Mr. LaScala also applies his expertise by assisting clients with AML & Sanctions optimisation services that increases the breadth and scope of risk coverage while making the programme more efficient. He oversees Navigant’s AML Technology Team and has helped develop STAR, Navigant’s proprietary Case Management System and Rules engine regularly utilised for AML Look-Backs, Sanctions Look-Backs, CDD Remediations and other compliance and investigative projects. Additionally, Mr. LaScala provides his clients with outsourced Financial Investigation Unit (FIU) teams to both augment existing FIUs on a permanent basis or by providing FIU Surge protection services whereby the Navigant team is deployed to handle an increase in investigative or compliance activity pursuant to a compliance technology transformation or acquisition of another institution or large scale customer on-boarding.
Mr. LaScala began his career as an accountant, attorney and Special Agent with the IRS Criminal Investigations Division of the Treasury Department and thereafter spent over 20 years providing AML compliance and investigative services. He has been with Navigant since 2010.
This month, Finance Monthly had the pleasure to connect with Mr. LaScala and discuss AML in the US and the impact that AI, Machine Learning and Robotics Process Automation have had on the sector.
What drew to the AML field? What excites you about the sector you work within?
My background initially drew me in. As an accountant, attorney and former law enforcement officer, it all came together initially with a consulting job in 1997 with a Big 4 firm specialising in AML and Forensic Accounting. I enjoyed both but spent far more time in AML. I loved developing and dispositioning AML and Sanctions alerts and constantly found ways to make the process more comprehensive and efficient. Eventually I developed ways to make large scale AML remediations, including Look-Backs more efficient by building rules engines, false positive review platforms and custom case management systems. My perspectives as an accountant, attorney and former law enforcement officer helped make these technologies, auditable, regulatorily responsive and feature rich for investigators, respectively. These days I am still excited to be involved because I like working with clients, and because the regulations, financial institutions, and money launderers constantly change. It’s constant learning, which works for me - otherwise I’d be bored.
What is the current state of AML in the US?
This is a very important time for AML compliance - regulators, examiners and law enforcement now know more about AML programmes, compliance technology and payment platforms than ever before, and as such, the stakes for financial institutions regarding compliance become increasingly higher. Financial institutions are quickly adapting and upgrading their technology and overall programmes to maintain compliance and prevent and detect money laundering, terrorist financing and fraud. The ‘bad guys’ however, seem to have far more payment methods and venues at their disposal to commit crimes than ever before in history.
What are some of the key challenges you face on a daily basis and how do you overcome them?
The key challenges include finding innovative and cost effective ways to serve our clients, who are often faced with fines and expensive remediations. Providing the right breadth and depth of services to them in a cost effective way is critical. We also work for financial institutions of all different shapes and sizes, some have been through enforcement actions two or more times and are in a position to better plan their way through those actions with a great appreciation of the effort it takes. Others have either not been through too many regulatory or law enforcement actions, or are unable to communicate to a home office in a foreign country the gravity of a US regulator or law enforcement action, and don’t get the financial support they need to get through it. The challenge in both instances still becomes handling ongoing work or “business as usual work” (BAU) along with regulatory action or some compliance technology transformation. Without consultants helping, there are just not enough hours in the day. Regardless of a financial institution’s capacity to respond to a regulatory action, it’s often best if we get in there early and get them off to a timely start so they don’t also fall behind on BAU, or react to regulators too slowly, which can lead to additional issues.
What are the current AML issues and solutions affecting American businesses?
AML is constantly undergoing transformations. Some of these are based on new and emerging AML and Fraud schemes that the industry has to respond to, other transformations are due to new regulations, such as NYSDFS Part 504 regulations, which add additional layers of accountability on AML programme owners. Still, other transformations are the result of enhancing the regulations and the technology behind it because every time we close a door on money launderers and fraudsters, they both seek out institutions without robust compliance and find new venues through which to launder money. The US and several other markets are attractive to money launderers, fraudsters and terrorists because the financial services industry is vast and because these markets are segmented. This means that some players in capital markets or money service business spaces are very technologically savvy with respect to compliance, while other smaller players in the same segment are not. In fact, we often see challenges where the larger and more sophisticated financial institutions de-market or close customer/client accounts which later pop up at smaller or less sophisticated financial institutions.
How has the introduction of Artificial Intelligence, Machine Learning and Robotics Process Automation impacted compliance and investigative solutions?
Navigant is highly focused on applying Artificial Intelligence (AI), a form of Machine Learning (ML) and Robotics Process Automation (RPA) to our clients in many different areas, including AML and Sanctions. For AML example, we believe that AI/ ML can help existing AML Transaction Monitoring Systems deliver enhanced detection scenario parameters by grouping behavioural patterning to cover more risk and produce fewer false positives. Concurrently, we are applying RPA to the expedite portions of the dispositions of such alerts by removing mundane rote tasks from the analysts purview so that he/she is spending more time on considering the facts, CDD, news and current transactions to determine whether the transaction should be filed on, and less time hunting for data and writing the disposition. Specifically, AI/ML, which helps increase coverage and reduce false positives, and RPA which provides the Investigator more time to analyse the actionable items, are remarkably powerful together.That said, there is a fair amount of work to do, and in the beginning, we need to focus AI/ML only on matters for which the data feed is clean and comprehensive and apply it in a way that is transparent and can readily be described to regulators, examiners and internal audit. The AI/ML revolution won’t survive if the providers that developed it and the financial institutions that use it are not completely transparent. Moreover, even RPA will be better received if it is introduced in stages and when implementations are accompanied by statistically valid data showing that it is more accurate, and saves time such that the ultimate work product contains more thoughtful analyses and is generating comprehensive filings useful to law enforcement.
With Governments increasingly aware of the moral and fiscal costs of white-collar crime, the Dutch crime authority’s decision to hit ING, the Netherlands largest financial services provider, with fines totalling €775 million is of little surprise.
Tackling money laundering is currently high on the national and international agenda of many countries; the EU recently proposed providing the European Banking Authority with greater powers to sanction banks of member states that may be implicated in such activity.
In the case of ING, the bank has been forced to pay out the substantial fine for failing to flag abnormal transactions, and financing terrorism “structurally” by not verifying the beneficiaries of client accounts. The Dutch public prosecution service said that it found “clients were able to use accounts held with ING for criminal activities for many years, virtually undisturbed” from 2010 to 2016. The settlement, which is the largest ever imposed on a company by the Dutch prosecution service, is made up of €675 million in fines, and €100 million as the return of illicit gains intended to deter future violations.
The bank’s CFO has since announced his decision to step down following growing backlash. In addition, measures against ten employees were taken, ranging from dismissals to clawing back bonuses, with the prosecutor accusing the bank of “culpable money laundering”.
This is not a stand-alone case either; watchdogs have clamped down on Credit Suisse and Danske Bank this month over similar money laundering concerns. With authorities prepared to take a hard-line stance against money laundering, there will be severe reputational and financial consequences for organisations which – however unintentionally – enable this offence.
The focus is not simply on the culprits of money laundering, but on ensuring perpetrators have fewer tools to commit such crimes. The relevant authorities will increasingly take a punitive approach to financial institutions with lax crime prevention strategies. Financial institutions, whatever their size, must ensure their tools are inaccessible to those seeking to commit financial crime, or otherwise face extensive fines comparable to ING’s.
This is no easy task and requires a significant investment of time and resource. Banks must ensure they have robust financial crime compliance strategies and programmes in place with appropriate training to reduce risk and mitigate the consequences. This was a point that was not lost on Ralph Hamers, ING’s CEO, who stated that “although [ING’s] investment … [has] been increasing since 2013, they have clearly not been to a sufficient level”.
However, matters should not stop there; processes require frequent review given that criminals adopt increasingly sophisticated strategies to commit offences. Banks, therefore, must remain proactive and vigilant. To this end, the Dutch prosecutor noted that ING’s compliance department “was understaffed and inadequately trained”. In the case of ING, compliance failures were exploited by clients for years for money laundering practices before it was detected.
Effective streamlined processes, such as customer screening and alert processing, informed by risk assessments and financial crime regulations should leave little room for error during due diligence activities.
Iskander Fernandez, White Collar Crime Expert and Partner at commercial law firm BLM
Finance Monthly speaks with Alma Angotti - Managing Director and Co-head, of Navigant Consulting, Inc.’s Global Investigations & Compliance practice, based in the company’s Washington DC office. With her 35 years of public and private sector legal, regulatory, and consulting experience, Alma currently works with financial institutions to, among other things, help them develop, implement, assess, and enhance anti-money laundering (AML) and counter-terrorist financing (CTF) compliance programs required under the Bank Secrecy Act (BSA). She provides BSA/AML/CTF and Sanctions training. She also assists financial institutions in designing their own BSA/AML/Sanctions training policies and programs, conducts investigations and transaction look backs and provides training on AML compliance, examinations, and investigations to regulators globally.
In your opinion how robust is current anti-money laundering (AML) regulation? Is there anything that could be improved?
Legislatively speaking, the current US AML laws are robust.
One important gap in the AML laws is that Investment Advisers are not currently required to comply with the BSA. Investment Advisers sometimes have implemented AML compliance programs as a matter of best practice, but they have no obligation to file Suspicious Activity Reports. Because there is no enforcement mechanism, it is unclear how effective their programs are at detecting money laundering, terrorist financing, and other financial crime. There is a rule proposal that has been pending for several years. I think this is a risk area for the US and global financial systems.
Another area for potential improvement includes a legislative mandate for all companies registering in the US to include beneficial ownership information as part of the registration process and better cooperation among secretaries of state to assist in the identification of potential shell companies and corporations. Requiring the identification and information on the ultimate beneficial owner of a company deters shell companies and corporations from misusing registration systems and entering the US financial market. Understanding the beneficial owner of a customer account, or the ultimate beneficial owner of a financial transaction, are key elements for financial institutions to understand their customers and assess customer risk appropriately. Additionally, if the customer engages in suspicious behaviour, or suspicious transactions, knowing the ultimate beneficial party is integral to any potential law enforcement investigation.
Another area needing enhancement is the ability to share information with law enforcement and between financial institutions more easily. There is currently a US House bill introduced on this subject, H.R. 5783, the Cooperate with Law Enforcement Agencies and Watch Act of 2018. This bill limits a financial institution’s liability for maintaining a customer account in compliance with a written request by a federal, state, tribal, or local law enforcement agency. Additionally, the federal or state agency may not take an adverse supervisory action against a financial institution with respect to maintaining an account consistent with this request.
Beyond legislation and regulatory rule-making, however, consistent and robust enforcement of existing laws, rules, and regulations is critical to ongoing compliance by financial institutions.
What are the current AML issues and solutions affecting businesses and individuals operating in the US?
Some emerging issues that will impact financial institutions are the wider use and holding of cryptocurrencies, virtual currency exchanges (VCEs) looking for banking services, and issuers of initial coin offerings (ICOs) looking for broker-dealer and clearing platforms. Many banks and broker-dealers are de-risking and not providing banking services to VCEs and other high-risk clients (e.g. companies in the medical marijuana industry and customers holding penny stock portfolios) to save on BSA/AML/Sanctions compliance costs. As US regulators of financial institutions rush to regulate these emerging trends, financial institutions are struggling with how to take on these risks without running afoul of ever-changing regulatory expectations.
BSA/AML/Sanctions compliance related to cryptocurrency transactions and performing appropriate due diligence to know your customer when onboarding a VCE is further complicated in the US by the lack of a consistent regulatory definition of cryptocurrency. While many countries view cryptocurrency as currency or legal tender, the US regulatory authorities and law enforcement currently do not agree on whether it is legal tender, a security, or something else. For example, in a 2013 Guidance, FinCEN defined virtual or cryptocurrency as a ‘medium of exchange’ that operates like a currency in some environments but does not have all the attributes of real currency or operate as legal tender in any US jurisdiction. Whereas in 2016, the SEC suggested that cryptocurrency is a security. The Commodity Futures Trading Commission currently believes that it is a commodity, while the IRS views Bitcoin and the like as property that should be taxed.
Regarding ICOs, issuers are coming to consultants like Navigant to help understand unclear regulatory requirements, and broker-dealers are seeking advice on how to underwrite these issuers or onboard ICO companies to their platforms while continuing to comply with BSA/AML/Sanctions compliance laws, rules, and regulations.
What are the AML challenges affecting businesses operating cross-border transactions?
Growth in the volume of cross-border transactions, and greater integration of the world’s economies, have increased the risks that banks and financial institutions face in processing these transactions. Most financial institutions, however, still face challenges that diminish the efficiency and effectiveness of their AML/CFT programs such as: poor data quality and fragmented data sources; outdated technology; poorly tuned transaction-monitoring systems, resulting in high rates of false positives; and the continuous launch of new and complex products and services.
Another major challenge to businesses operating cross-border transactions is the advent and use of mobile payment processing services, and the use of mobile phone payment services, to pay third parties. Millennials are leading this trend by texting cash to friends and third parties, using apps such as Venmo (owned by PayPal), Square Cash or Cash App (owned by Square), Apple Pay, Samsung Pay, and others linked to social media apps like Snapchat. These payment systems obscure whether the transaction is a cross-border transaction, as well as significantly complicating issues such as who the ultimate beneficiary of the transaction may be.
Why is it so important to take an active stance on AML? What are the penalties associated with AML in the US?
Terrorism and transnational organised crime take a terrible toll on societies. The horrific terrorist acts we have seen over the past 20 years cost money and were financed by someone. Our AML/CTF and Sanctions laws, rules, and regulations are in place to stop and deter terrorists from using our financial institutions to finance terrorism, and to stop criminals from laundering the proceeds of other abhorrent practices such as human, sex, or drug trafficking, financing weapons of mass destruction, and nuclear proliferation. Financial institutions play a critical role in protecting the US and global financial systems from these bad actors. We all must be vigilant in this fight.
The importance of financial institutions’ role in fighting terrorism and keeping proceeds of illicit practices out of our monetary system explains the steep penalties for violations of these rules. Individual penalties can range from $500,000 to $1 million (such as the case of Thomas Haider of MoneyGram International) and up to 20 years in prison. Fines for financial institutions vary by regulator and violation. According to Bloomberg,[1] in the first quarter of 2018 alone, federal banking regulators and FinCEN concluded two major AML enforcement actions with almost $1 billion in forfeitures and penalties, the highest ever annual total for federal authorities.
Financial institutions are arguably the most at risk from fraud. What measures can they take to ensure fraudulent behaviour is minimised both internally and externally?
There are many steps financial institutions can take to minimise fraud risk, but at the core of these steps is training and the four-eye principle. Potential fraud — whether internal or external — is significantly reduced by proper training of all staff on the red flags of fraud. Risk is further reduced by ensuring that all processes include more than one set of eyes (i.e., two people — four eyes). Ideally, for transactions most at risk for potential fraud, financial institutions would have a supervisor or quality assurance/control person review the transaction in addition to the employee originating the transaction. A properly tuned transaction-monitoring alert system would then identify any anomalies or potentially suspicious activity post-transaction, further minimising risk.
What changes would you like to see implemented in AML legislation, both nationally and internationally?
As I stated above, I believe it is past time for US regulatory agencies such as the Department of Treasury and FinCEN to assert regulatory authority and oversight over Investment Advisors as financial institutions under the BSA and other AML laws, rules, and regulations. Internationally, it would be ideal to have a centralised repository of beneficial ownership information accessible to financial institutions and law enforcement. Efforts are beginning in some countries to centralise this information, but privacy laws and concerns about confidentiality are often a stumbling block to the sharing of this type of information.
About Navigant
Navigant is a specialised, global professional services firm with focus on industries and clients facing transformational change and significant regulatory or legal pressures. Navigant provides a range of advisory, consulting, outsourcing, and technology/analytics solutions, primarily serving clients in the financial services, healthcare, and energy sectors. Headquartered in Chicago, the company has approximately 5,900 employees across North America, Europe, the Middle East, and Asia-Pacific.
Website: https://www.navigant.com/
[1] Robert Kim, “Q1 Ends with Record $1B in Federal Anti-Money Laundering Penalties and Forfeitures,” Bloomberg Law, April 6, 2018.
For our May edition, Finance Monthly has the pleasure to connect with Salvatore LaScala. With over 20 years of hands-on experience to conduct investigations and compliance reviews on behalf of financial institution clients responding to regulatory or law enforcement matters concerning anti-money laundering, Bank Secrecy Act, USA PATRIOT Act and Office of Foreign Assets Control, he now co-leads Navigant Consulting’s Global Investigations and Anti-Money Laundering Practice in New York. His company serves financial institutions of all kinds by providing assistance with responding to Regulatory Actions in addition to more proactive services. This work includes AML/Sanction Program compliance projects such as including Look-backs, CDD remediations, Monitorships, Investigations, Risk Assessments, Compliance Gap Analyses, Model Validations, NYSDFS Part 504 work and AML/Sanctions Compliance technology enhancement, implementation and optimization. Navigant also provides investigators to clear FIU surge activity, outsourced FIU services, and embedded compliance officers.
In your opinion, how robust is the current anti money laundering (AML) regulation?
It is appropriately robust and evolving in a manner consistent with changes in banking, securities and payment systems.
Typically how do financial institutions manage their money laundering compliance obligations? How can they remain up-to-date and compliant?
Financial institutions face numerous compliance challenges from different areas, including AML and Sanctions. Considering the complexity of these regulations, the rigor of examination and competitive business landscape, these financial institutions typically do very well. We are, however, more frequently reminded of examinations that result in an action, whereas successful exams get no mention. Good risk assessments, independent reviews and Governance, in particular, accountability, oversight and training, go a long way towards keeping AML and Sanction programs up-to-date.
Tell us a bit about your work in the field.
I lead large teams that regularly perform historical transaction reviews (Lookbacks) and KYC/CDD/EDD file remediation work. I also help clients overcome AML and OFAC backlogs by deploying teams embedded at our clients’ work sites to that disposition alerts.
My expertise includes assisting clients with the selection, implementation, optimisation and validation of AML and OFAC compliance technology and enhancing AML transaction monitoring detection scenarios and sanctions filter interdiction logic.
My work is exciting. I am able to market our great services to client, deliver those services, lead teams of highly talented people and enjoy the satisfaction of jobs well done. Moreover, as someone who needs to constantly learn and evolve, the introduction of Artificial Intelligence, Machine Learning and Robotics Process Automation lets us provide more effective compliance and investigative solutions than ever before.
Contact details:
Email: salvatore.lascala@navigant.com
Phone: +1 212.554.2611
Website: https://www.navigant.com
73% of financial crime professionals in UK financial services believe that the 4th EU Anti-Money Laundering (AML) Directive will make it easier for firms to prevent money laundering a survey of nearly 200 professionals has revealed. The Future Financial Crime Risk 2017 report, produced by LexisNexis Risk Solutions, global information solutions provider and part of RELX group, highlights that asset managers were especially positive about the advantages, with over 80% agreeing it would aid the fight against financial crime.
This marks a shift in attitude from when financial crime professionals were surveyed on the potential impact of the 4th EU AML Directive in 2015 as part of the inaugural Future Financial Crime Risks Report commissioned by LexisNexis Risk Solutions. Previously, only 17% of those surveyed believed that the regulation would significantly reduce money laundering whilst nearly a third (32%) thought it would make no difference or increase levels of money laundering.
On 26th June 2017 the Money Laundering Regulations 2017 (which is also known as Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017) come into force which transpose the 4th EU AML Directive into UK law. To support this, the Joint Money Laundering Steering Group (JMLSG) has released revised guidance within which they advise firms to adopt a risk based approach to customer due diligence.
Regulated organisations have been advised to risk assess relationships in order to determine the appropriate level of customer due diligence to be performed. In particular, additional checks are required in relation to identifying and screening beneficial owners when dealing with corporate entities. Therefore, as the demands of AML compliance continue to rise, institutions are required to know more about their customer than ever before.
Mike Harris, at LexisNexis Risk Solutions, comments: “In reality, Britain has always been at the forefront of fighting financial crime – but our research shows the compliance professionals in the financial services sector view the new regulations as further supporting the fight. That said, it’s important not to underestimate the sheer scale of the logistical challenge for organisations resulting from this regulatory change, especially for smaller to medium sized firms.
Many regulated entities may be less au fait with the risk based approach to due diligence than their financial counterparts and the changes that the 4th EU AML Directive brings. Therefore, it is critical that they review the JMLSG’s new guidance and revise their processes, controls and risk appetite for on-boarding customers to ensure they maintain compliance.”
(Source: LexisNexis)
Gordon Dadds, the legal and professional services firm, is urging the UK property sector to get to grips on the 4th EU Anti-Money Laundering Directive or face receiving a hefty financial penalty which could be unlimited.
The Directive which comes into force from today (26th June 2017), combined with the new investigation power being introduced by the Criminal Finance Act 2017, is going to impact the UK property industry significantly with banks and estate agents having to carry out further due diligence on both the buyers and sellers of property which will slow down the buying process by up to 186 days. There will also need to be formal risk assessments and nominated officers will have to be re-appointed if not currently an executive sitting on a board (or equivalent) of the business.
Gordon Dadds predicts that the new regime will increase workloads due to the required volume of administration with all polices now needing to be tailored to each client case and for the usual terms of business to be updated. This doubling of the workloads will increase company costs with existing staff requiring training and in a high proportion of cases, estate agents needing to recruit staff in order to help with the administration burden. We estimate this could cost the largest estate agents a combined additional cost of £6million.
Alex Ktorides, Partner at Gordon Dadds, says: “The Directive is a shake-up of the way that banks, estate agents and other parts of the regulated sector apply a risk based approach to customers. They will now have to consider the characteristics of the customer, the product and its distribution and the jurisdictions involved in determining the lengths that they have to now go to in terms of conducting due diligence on their clients. There is even a new requirement to force overseas branches of UK parent companies to apply UK standards. This will cause huge concerns to international businesses and even encourage moving head office from the UK.”
The property sector now has to act quickly in order to ensure it complies with the Directive. The purchasers and the seller are both now included in the application of customer due diligence, meaning additional checks will need to be carried out by estate agents, auctioneers and surveyors.
Alex Ktorides continues: “This is going to create substantial challenges for the property sector especially given the final version of the directive has only been made public today which has left no time for banks, estate agents and the lending sectors among others to update their policies and processes alongside training staff on the new regime. Some agents have in excess of 100 branches and have received no prior time to implement the new processes in order to comply.
“For many smaller estate agents (and surveyors) this will be the first time they will have carried out checks on both the buyers and sellers and they are going to have to get up to speed with the regime as quickly as possible or risk facing an unannounced visit from the HM Treasury.”
Gordon Dadds is calling on the UK property sector to act fast and to start to get to grips with the Directive from today. For many medium to large sized estate agents Gordon Dadds recommend they appoint a money laundering officer and a deputy to help with the increased work load and to ensure they are compliant and not falling foul of the regime which could spark a warning or fine from the HM Treasury.
(Source: Gordon Dadds)
Life is about to get tougher for money launderers. One of the new government’s first tasks will be to approve draft regulations to implement EU 4MLD[i]. These new regulations, with their more rigorous approach, apply to banks and other relevant persons[ii]. One of the major changes is the need to thoroughly search for adverse information on potential and existing customers and to evidence this has been done. Carrying out Customer Due Diligence (CDD) manually on entities which are abroad is particularly demanding.
Today RegTech company Kompli-Global launched Kompli-IQ™, a unique search platform with the technology and expertise to meet these challenges.
Kompli-Global CEO Jane Jee, who is also a barrister, says: "Companies will be questioning how they can comply efficiently and cost effectively with the new legislation, particularly the new level of searching/monitoring. The starting point has to be to want to tackle money laundering because it is the right thing to do."
Searching for adverse information has become far more difficult given the explosion of information on the web, which makes it almost impossible to hold this amount of data in structured databases. The alternative, manual searching of the web, is very time consuming and often hit and miss with important information regularly overlooked or hidden from researchers. Using Artificial Intelligence (AI) to judiciously search the World Wide Web and directories invisible to many search engines, such as Google, produces quicker, more accurate results allowing the records found to be saved and future searches scheduled, so the bots can do all the hard work leaving the researcher to simply view any new results found.
To access this information Kompli-Global has developed Kompli-IQTM - a multi-lingual, licensed software as a service (SaaS) search platform. Using proprietary machine learning technology, Kompli-IQTM interrogates a wide variety of global data sources on the web for published adverse information on individuals and entities.
A company's or individual's name will be cross referenced against hundreds of search terms such as: court, fine, bribery or scam. Kompli-IQTM filters the data and search results are rapidly assessed, ranked and sorted. Additionally, these searches can be carried out in the right foreign language where the individual or company has associations outside of the home jurisdiction. Kompli-IQTM forms a key weapon in enabling companies to accept the vast majority of customers who do not present a risk quickly and easily.
"In today's world, it is virtually impossible to conduct the required searches without harnessing the power of Artificial Intelligence (AI). If you try it will be expensive, inefficient and inconsistent. Above all, adverse information will be missed," explains Jane.
The new Regulations introduce a more rigorous approach to Customer Due Diligence and Enhanced Due Diligence and have broadened the scope of Politically Exposed Persons (PEPs)[iii] to include those living in the UK (previously excluded) and their relatives/close associates. Add to this the need to check against sanctions lists and establish the beneficial ownership of companies and it is clear that there is a considerable increase in the amount of work involved.
"To address this, in addition to licensing Kompli-IQTM, Kompli-Global offers Due Diligence reports tailored to our clients’ specific requirements based upon their risk based policies. To compile these reports Kompli-Global interrogates multiple data sources and draws on the local expertise of its extensive advisory community in 66 countries covering 158 regions. With this level of input Kompli-Global can provide the most in-depth information on which companies can base their risk based decisions and, importantly, provide the audit trail that a Regulator will demand," explains Jane.
"RegTech and human expertise can be a powerful defence against money laundering and Kompli-Global is harnessing the power of both - it's the right thing to do," she concludes.
(Source: Kompli-Global)
Technology is bringing the finance industries one step closer to fighting money laundering thanks to the special identification of irregularities in trends and patterns of data, thus creating more 'hits' and fewer 'false negatives.' Aashu Virmani, CMO at Fuzzy Logix here talks to Finance Monthly about the potential impact data analytics can have on fighting money laundering and changing your business for the better.
As long ago as November 2009, Forrester published a research report entitled 'In-Database Analytics: The heart of the predictive enterprise'. The report argued that progressive organisations 'are adopting an emerging practice known as 'in-database analytics' which supports more pervasive embedding of predictive models in business processes and mission-critical applications.’ And the reason for doing so? 'In-database analytics can help enterprises cut costs, speed development, and tighten governance on advanced analytics initiatives'. Fast forward to today and you'd imagine that in-database analytics had cleaned up in the enterprise? Well, while the market is definitely 'hot' it appears that many organisations have still to see the need to make a shift.
And that's despite the volumes of data increasing exponentially since Forrester wrote its report meaning that the potential rewards for implementing in-database analytics are now even higher.
Win Extra Fuel With 4X Kroger Fuel Points Promotion
Given we can deliver our customers with analysis speeds of between 10 - 100 times faster than if they were to remove the data to a separate application outside of the database, we have a 'hard metric' that is very compelling in helping us convince prospects of the value of in-database analytics. It's what gives us confidence that the shift to in-database analytics as the standard for data analysis is a question of time rather than choice. Quite simply, the volumes of data that are increasingly being created mean that the only way to process the data and find analytical value is by doing so within the database. But, as ever, real world examples are the best way to illustrate a point so let's take an unusual one; money laundering.
Banks have a vested interest in ensuring they stay compliant with the regulations in place for catching and reporting anti money laundering (AML). The regulations have been in place for several years, and it is likely that most large banks have systems/processes in place to track and catch money-laundering activity. Despite this, we still hear about cases where the authorities have fined reputable banks for their failure to implement proper AML solutions. Not too long ago, in 2012, HSBC was fined $1.9 Billion by the US Department of Justice for “blatant failure” to implement AML controls related to drug trafficking money and, as recently as 2017, Deutsche bank was fined $650m by British and US authorities for allowing wealthy clients to move $10 billion out of Russia. So why are current implementations/best practices not keeping up?
Let’s look at 3 big factors that contribute to compliance failure in the realm of anti-money laundering:
- The number of non-cash transactions around the world is exploding. Think about applications like Uber, Venmo, Paypal, Xoom and various international money transfer services (almost every large retailer is now in the Moneygram business) – the number of non-cash transactions in the world has exploded. The number crossed $426 billion in 2015, and is growing at over 10% annually. Conclusion: There’s just a lot more hay to find the needle in.
- Legacy solutions were largely rules-based. A program would run through the list of rules, and if any transaction matched a rule, a STR (suspicious transaction report) would be raised, meaning the transaction needed deeper analysis – often with a human in the loop. These rules were good at some point in time, but there are several issues with any rules-based system: (a) Rules are static, and require constant periodic refreshes. For instance, is a $4000 deposit to a rural bank typical of a crop cycle, or an anomaly? (b) Rules do not often transcend cultural/economic/geographical boundaries – e.g., a $400 hotel room in Washington D.C. may be normal, but in rural India it might warrant a second look. Finally (c) Rules present an inherent bias and don’t look at the data to determine what is ‘normal’ and therefore what pops out as ‘abnormal.’
- The analysis of AML is mathematically complex. Incidence of fraud is a rare event, compared to the data that needs sifting through, and catching AML transactions involves looking deep into the history of the account. Each time the system flags a transaction for a deeper look, a human has to investigate further. False positives mean a lot of resource and time investment for the bank. Couple this with the explosion in the number of transactions and the multiple channels through which non-cash transactions occur today, and you can see why systems that were put in place over a decade ago are in serious need of an upgrade.
With the money at stake for money launderers (according to the UN, $2 trillion is moved illegally each year), the efforts taken by criminals to avoid detection have become incredibly sophisticated. Organised crime is continually seeking ways to ensure that the process of money laundering is lost within the huge amounts of financial data that are now being processed on a daily, hourly and even by-the-minute basis. Their hope is that, because so much data is being processed, it is impossible to spot where illegal money laundering activity is happening. And they'd be right, if you had to take the data out of the database for analysis.
Achieving a good degree of accuracy in a typical large bank means having to analyse billions of data points from multiple years of transactions in order to identify irregularities in trends and patterns. A traditional approach would require moving the data to a dedicated analytical engine, a process that could take hours or days or more depending on the volume of data. This makes it impossible to perform the analysis in a manner that can provide any real value to the organization. With in-database analytics, there is no need to move the data to a separate analytical engine, and the analysis can be performed on the entire dataset, ensuring the greatest possible coverage and accuracy.
One of our largest customers is a leading retail bank in India. It was experiencing a rapid growth in data volumes that challenged its then-current AML processes. By not needing to move the data for analysis, we were able to analyse billions of data points over a number of years (3+) of historical data to identify possible irregularities in trends/patterns, and do so in under 15 minutes – faster than any other method. By not working to a pre-defined set of analytical rules and by letting the data 'speak for itself', it is possible to uncover patterns which occur naturally in the data. As a result, the bank is seeing an improvement of over 40% in terms of incremental identifications of suspicious activity and a 75% reduction in the incidence of 'false positives'. In short, good guys 1, bad guys 0 because in-database analytics is having a very real impact on the bank's ability to spot where money laundering is happening.
I'm pretty sure that when Forrester published its report into in-database analytics towards the end of the last decade, it didn't envisage the fight to combat money laundering being a perfect case study for why in-database analytics is a no brainer when handling large volumes of data. But in today's world, with ever increasing data volumes and the requirement to understand trends and insight from this data ever more urgent, in-database analytics has now come of age. It's time for every organization to jump on board and make the shift; after all, if it can help defeat organized crime, imagine what it could do for the enterprise?
