Let’s take a look at how the past year is reflective of what AML trends to look out for in 2023.
There are massive overhauls across the globe in the public registers for companies. The UK and several other nations are campaigning to make identifying ultimate beneficial owners (UBOs) clearer and more transparent.
While this is happening in some countries, in others there is an increasing appetite for more privacy, such as with the European Union Court of Justice's recent ruling in Luxembourg with regards to beneficial ownership of companies. The recession and this time of low economic growth may distract the policy push for tighter regulation of Companies House as the government wants to incentivise inward investment.
Real estate remains one of the faster-growing sectors for money laundering across the board, and the trend is expected to continue into 2023. Real estate is an attractive method of money laundering in many ways. It’s a great way to clean significant sums of money, it can be leveraged at a later date, and plenty of firms that operate in the sector have notoriously poor structures which prioritise faster transactions over compliance. We see significant amounts of cash in the form of ‘donations’ from other parties being used as home deposits across the UK that are difficult to verify and trace, and that trend is only increasing.
Technology has the ability to speed up the time it takes to verify entities and individuals and will exponentially increase productivity across the AML sector over the next few years.
The best thing about regulation is that it affects not only your business, but all of your competitors in the same way. This means that if you can streamline your businesses by processing tasks quicker, cheaper, and more effectively, it will lead to more satisfied customers and happier staff (who hate doing manual AML). Businesses have the opportunity to use compliance as a competitive advantage.
The biggest problem with money laundering is that it is inadvertently highly profitable for reporting entities. Because of this, firms may be more willing to deal with higher-risk transactions and scrutinise these transactions less. This is especially true if they are high-value, which money laundering transactions usually are. Recessions could also lead to firms de-prioritising compliance staff, who are already overworked at the best of times, exposing them to worse compliance processes.
Money laundering in the Metaverse could become a real issue if it actually takes off. Although its user base is currently small, digital assets are a fantastic tool for laundering money. Since the Metaverse is essentially a space populated by virtual businesses selling virtual goods, money launderers can use the same real-world tactics of placement, layering and extraction to clean their money. They will be able to repeat this step over and over again using different amounts each time, making transactions extremely difficult to trace.
As web3 starts to develop and mature, we’ll see more creative ways for money launderers to exploit this space. And, as new regulations come in about government UBO databases, we’d expect to see a rise in even more opaque structures to try and hide beneficial ownership.
Companies will continue to grapple with balancing cost, speed and transparency of business transactions in a competitive and volatile economy. As such, they will have no choice but to rely on specialist partners to keep them up to date with relevant AML legislation and ecosystem changes.
We expect to see an increase in the use of the data collected when companies file Suspicious Activity Reports (SARs). Data collected from SARs can be used by up to 80 law enforcement agencies who conduct their own checks as a means for investigating and preventing criminal activity. This information is currently interrogated as a dataset thousands of times a year for keywords and names to help identify and direct an investigation.
Particularly with the improvements being made to the SARs portal, we expect agencies will better utilise structured data and will allow better quality data into the system to be triaged, analysed and used more effectively across different departments.
The year ahead is full of new opportunities, especially with the further development of the Metaverse and web3. This, along with the economic downturn, could lead to a rise in fraudulent activity.
Businesses must stay alert and ensure that they are taking all the measures possible to avoid falling victim to money launderers. Thanks to new developments in AML technology, 2023 looks bright for compliance. Now’s the time to take advantage of new tech, so businesses - from real estate, and accounting to law - can stay on the right side of history, avoid hefty fines and come out of the recession shining.
This type of fraud can lead to financial problems for your child later in life, so it's important to be on the lookout for signs that your child's credit may have been compromised. If they do fall victim to fraud, their name and information can be used to take out the best personal loan or credit cards.
If you notice unusual activity on your child's credit report, such as inquiries from companies you don't recognise or accounts that you didn't open, fraud may have occurred. You should also monitor your child's mail for bills or collection notices from creditors. If you suspect that your child's credit has been fraudulently used, you should contact the credit reporting agencies and place a fraud alert on your child's file. By taking these steps, you can help protect your child's credit and financial future.
It's important to keep an eye on your child's credit report to make sure that there is no fraud taking place. Here are a few things to look for:
1. Unusual activity. If you see something on your child's credit report that you don't recognise, it could be fraud. This can include new accounts that have been opened, charges made to existing accounts, or even inquiries from creditors.
2. Incorrect information. If any of the information on your child's credit report is incorrect, it could be a sign that someone has fraudulently obtained their personal information. This can include things like a wrong address or date of birth.
3. Poor credit history. If your child doesn't have a long credit history, you might not expect to see much on their credit report. However, if you see that they have a lot of late payments or other negative marks, it could be a sign that someone has been using their information without their knowledge.
1. Keep your child's Social Security number and other personal information safe.
2. Check your child's credit report regularly.
3. Put fraud alerts and security freezes on your child's credit file.
4. Sign up for a credit monitoring service.
5. Teach your child about good credit habits.
6. Report any suspicious activity immediately.
7. File a police report if you suspect fraud.
8. Protect your own credit to avoid identity theft.
9. Keep tabs on your child's spending habits.
10. Talk to your child about money and credit regularly.
If you suspect that your child's credit is the victim of fraud, you should contact the credit reporting agency and the creditor immediately to dispute the inaccuracies and begin the process of restoring your child's good name.
[ymal]
Expensive, but not effective?
The cost of financial crime compliance has increased exponentially over the past few decades. In recent years, perhaps inevitably, we have seen a growing questioning of whether those efforts are paying off. The effectiveness of compliance is extremely hard to measure. At a macro level, this could potentially be seen through a tangible reduction in predicate crime offences or an increase in those facing justice for their crimes. At a financial institution level, this is arguably harder to assess – does an increase in suspicious activity reports (SARs), as one possible measure, point to a more or less effective program? The answer could be argued either way. The reality for most financial institutions producing intelligence output in the form of SARs is that there is often no feedback provided as to whether the information was useful to law enforcement or not.
The consideration of effectiveness was highlighted by the Financial Action Task Force (FATF), the global AML standard setter, in 2019, when they announced a strategic review of their country's evaluation process. Amongst the goals of the strategic review was to consider ways in which changes could be made to the FATF methodology to encourage countries to more effectively combat money laundering and terrorist financing. It was noted that the existing FATF process motivated countries to take action in order to avoid a bad report, rather than with a focus on reducing harm to society or protecting the integrity of the financial system. In other words, the focus had been on implementing a process rather than assessing outcomes.
A risk-based approach
Where resources are inevitably stretched, concentrating on risk is more likely to produce effective outcomes. The FATF strategic review was finalised in March 2022 with approval of the procedures for the fifth round of mutual evaluations, which will have a greater focus on risk to ensure that countries focus efforts on the areas where risks are highest. The next cycle of FATF evaluations will also be shorter, with a stronger follow-up process that will focus primarily on improving effectiveness.
Earlier, in March 2021, FATF had issued guidance to support countries to take a risk-based approach to supervision. Supervisors play a key role in helping regulated entities to understand the risks they face and how to mitigate them, for example by providing guidance on linking a national risk assessment to an entity’s risk assessment.
The EU’s 4th Anti-Money Laundering Directive (4AMLD) mandated that the European Commission conduct an assessment of money laundering and terrorist financing risks affecting the internal market and relating to cross-border activities, and to update it at least every two years. These assessments provide useful insight into identified money laundering risks which can be leveraged at a national level. The 5AMLD further mandated that Member States make the results of their risk assessments available to the European Commission and the other Member States, and to make a summary version, without classified information, publicly available.
The European Banking Authority, also in 2021, issued revised guidance regarding risk factors for money laundering and terrorist financing, addressed to both financial institutions and supervisors. The guidance sets out risk factors for financial institutions to consider with respect to customer relationships and transactions. They also note that business-wide risk assessments should be performed at least annually, and that they should consider specific sources of information, including the European Commission’s supranational risk assessment referenced above.
Information, information, information
The risk-based approach, in terms of assessing where higher risk is likely to exist (for example in a specific product, client sector or geography) and targeting those areas, undoubtedly makes sense. But what is even more effective, is the sharing of information where there is already identified criminality.
The traditional model of transaction monitoring produces vast numbers of alerts which are usually reviewed manually in order to determine whether the activity appears ‘suspicious’. A single-institution reviewing a customer’s behaviour may find it extremely difficult to make that determination of suspicion. However, the potential penalties for not filing a SAR are such that a huge number of ‘defensive’ SARs are submitted by institutions every year; the aim being to protect the institution where there is an element of doubt. However, the compliance cost of that work is significant and, far from being helpful, this can instead overwhelm under-resourced law enforcement teams with reports that have little to no value in the fight against financial crime.
Where law enforcement and financial institutions are able to collaborate, this is far more likely to produce a tangible outcome. Initiatives such as the UK’s Joint Money-Laundering Intelligence Taskforce (JMLIT) allows prosecuting authorities to share live details of the subjects of an investigation with participating institutions without compromising investigations. This allows financial institutions to very quickly identify where they have information that is directly relevant to an ongoing criminal investigation. Law enforcement collating data from across many banks will get a much better picture of the financial funds flows, as well as supporting information and documents provided in relation to account opening and periodic KYC checks that can significantly enhance or progress an investigation.
Legislation that is in place to protect the privacy of personal data poses challenges to information sharing, but some regulators are providing assurances regarding information sharing in the AML context. In December 2020, FinCEN published updated guidance which gave great latitude in financial institutions’ ability to share relevant information with each other under existing legislation – s.314b of the USA PATRIOT Act 2001. The guidance specified that the financial institution doesn’t need to have specific information regarding proceeds of a crime or have made a conclusive determination that the related activity is suspicious. It also stated that information on attempted transactions and information which includes personally identifiable information (PII) can be shared, and financial institutions are not restricted in their methods of sharing information, including verbally.
What financial institutions can do today
Some areas of improvement that would make financial institutions more effective in combating money laundering are not within their control, particularly the creation of complete and accurate UBO registers to facilitate KYC. However, the developments discussed in this article reveal two areas where financial institutions can and must take action: firstly, really understanding and focusing effort on areas of higher money laundering risk through conducting regular and rigorous risk assessments; and secondly, actively participating in information sharing to the fullest extent possible in their jurisdiction. We are seeing an increasing trend of both public-private partnerships and, in some areas, financial institutions sharing information directly with each other – a positive trend which is only likely to continue.
Notably, financial criminals are evolving, with regulations also changing. This scenario has created the need for financial institutions to remain on top of their game to deter criminals in their tracks. Failure to put a solid proof financial crimes risk management system in place can be costly due to accompanying hefty fines.
Financial crime is constantly evolving, and institutions are at risk of committing compliance mistakes and struggling to meet their regulatory obligations. Some of the mistakes happen despite persistent sensitisation on curbing the vices. However, below are vital guidelines vital for mitigating financial crimes.
Detecting fraud manually can miss out on some potential flaws. For instance, organisations can leverage AML detection solutions to automate the onboarding process. Such technologies cut out instances such as false positives and repetitive tasks while allowing more time to focus on serious threats.
This approach should be conducted in all business relationships and transactions, especially when a potential risk has been identified. A financial institution can use ongoing monitoring once unusual transactions outside the banking activity's regular pattern have been identified.
An institution should commit to fine-tuning internal policies regularly. This ensures new emerging laws are embedded at every level of the business. Consider onboarding external experts to review your existing policies.
Employees should have an opportunity to speak up freely when they notice suspicious activities. The organisation can focus on offering employees relevant training to identify and manage financial crime threats while stressing the importance of observing the policies.
The financial institution should conduct a comprehensive risk assessment by considering all the relevant inherent and residual risk factors. Additionally, there should be appropriate mechanisms to document and provide risk assessment information to relevant authorities and agencies such as supervisors.
Machine learning: This helps detect transaction patterns where the system acquires its own rules based on the data and patterns found. Notably, the technology is gaining prominence among various institutions.
Cloud computing: This technology can help manage data for aspects like performing know your customer AML activities. Cloud computing also offers other benefits, like improved risk-scoring capability.
Graph analysis: The purpose of graph analytics technology is to compare relationships between individuals. The technology deploys data analysis to show whether individuals present their true identity while engaging with a financial institution.
Automation: An institution can acquire software, primarily robots, to study human sequence while interacting with the organisation. For instance, the technology can detect unusual activity while monitoring logins, click, and copy-and-paste actions to determine any specified sequence that might call for further investigation.
Financial crimes come at a cost, and there is a need to deploy various measures like state-of-the-art technology, analytics, and data management to meet compliance requirements. It is key to stay ahead of the curve to address changes more efficiently.
Dr Henry Balani, Head of Industry & Regulatory Affairs for Encompass Corporation, explains how embracing technology can ease the burden on financial regulators.
Money laundering in the UK, specifically, is far more complicated than people may first anticipate, with thousands of complex relationships between finance professionals and international criminals contributing to money laundering and the wider financial crime economy. Despite increased levels of financial crime since the start of the pandemic, analysis shows that penalties against regulated firms, specifically for money laundering, decreased significantly last year. This does not, however, signal weaker enforcement. Rather regulatory and enforcement agencies have prosecuted other areas of financial crime, primarily in pandemic fraud scams related to unemployment assistance schemes.
One illicit method we have seen during the pandemic has been Covid bounce back loans which saw the government lend millions of pounds to small businesses. These loans did not include sufficient credit checks or verification. As a result, we have seen examples such as two men being jailed in December last year for running a £70 million money laundering scheme involving £10 million from Covid loans.
By November 2021, the government stated that they had lost over £5 billion from pandemic fraud scams against these schemes with perpetrators targeting the Coronavirus pandemic in an attempt to stay ahead of regulators, resulting in greater focus being placed on this area. As a result, there has been a lesser concentration on money laundering and subsequently lesser and fewer penalties issued, contributing to the decline in penalties against global financial institutions.
It is also worth noting that while 2021 represents a current peak, it is still the third-highest year on record after 2020 and 2014 where AML fines reached US$2.9 billion. The peaks and valleys over the years are not necessarily surprising as financial crime investigations are comprehensive and can take a long time to prosecute. It would be not surprising to see a large backlog of cases that will come to fruition in 2022.
Financial crime has been a long-standing issue in Britain, and in London in particular, due to colonial ties to offshore tax havens in places such as the Caribbean, Cayman Islands and Jersey which by law encourage the registration of offshore trusts as a business service which have become hubs for money laundering and tax avoidance. Financial institutions cannot become complacent in their efforts to bolster their defences against money laundering, especially as current geopolitical events indicate increased criminal activity as highlighted in the Pandora Papers and possible increased sanctions against Russia and threats from Iran and North Korea.
The International Consortium of Investigative Journalists (ICJJ) coordinated and published findings from a series of leaked documents outlining the inner workings of offshore companies used to limit company ownership identification. And, it was uncovered that there were 956 companies in offshore havens connected to 336 politicians and public officials with the majority of companies set up in offshore hotspots in the British Virgin Islands. This serves as a reminder that money laundering is still occurring at an alarming rate, and will, unfortunately, almost certainly persist over the coming year.
Technology, specifically RegTech, enables organisations to implement more effective processes to identify, mitigate and investigate financial crime. It is heartening to note that regulators, both in the UK and the USA, continue to encourage dialogue with RegTech firms to ensure legislation encourages and supports the adoption of new technologies for improved compliance, more effective investigations, and bolster defences against financial crime.
In response to the evolving Covid-19 world, now more than ever, technology must be utilised to our advantage, and embracing new technologies is a clear route forward for all possible factions that are complicit in or impacted by financial crime, such as the institutions themselves.
Due-diligence and compliance technologies represent examples of RegTech which can help to increase the effectiveness of investigations to stop financial criminals in their tracks, and hopefully dissuade future money laundering crimes being committed. We are also seeing evolving modes of money laundering through criminals using more complex means to hide illicit gains, such as cryptocurrency. Further technological innovation is occurring in this area to ensure regulators have access to the best solutions available to combat new forms of financial crimes. We are now seeing blockchain analytics technology being used to ‘track and trace’ ransomware and other illicit activity using cryptocurrency. It will not be surprising to see greater amounts of prosecutions and money laundering penalties due to illicit use of cryptocurrency as a trend going forward on top of money laundering through traditional fiat currency.
We must also see greater proactivity and cooperation from firms and financial professionals to ensure this criminal behaviour is sufficiently identified and prevented. As the global pandemic subsides, more professionals will return to physical offices, presumably resulting in greater collaboration and efficiencies in identifying potential illicit criminal activities in their customer portfolios. Adoption of new technologies, including the use of artificial intelligence and automated process analysis tools, combined with greater action from these firms and professionals will refine reporting activity. This will subsequently help ease the burden on regulators by ensuring suspicious activity reports are accurately filed with their respective financial intelligence units.
The positive dialogue between RegTech firms and regulators is welcome with the new technologies set to take centre stage in money laundering regulation moving forwards, and with these developing technological innovations alongside greater preventative involvement and due diligence from finance professionals, regulators and enforcers will be able to maximise their efforts in identifying, preventing and punishing financial crime.
For decades, financial services and risk have evolved hand-in-hand. As manual, paper-based processes have given way to digitisation, countless improvements in efficiency and effectiveness have been realised. Yet the best of times can also be the worst of times, as risks have multiplied at pace. It is incumbent on the financial services industry to continue to combat these ever-changing risks, using historical learnings as a foundation for new approaches, strategies and insights.
The evolution of financial crime detection
In the early days of electronic transactions, risk management was basic. With no historic information on which to base them, rules used to identify suspicious and potentially fraudulent transactions were simple and often arbitrary. As knowledge was gained, these generic rules evolved to expert rules, based on the experience derived from the outcome of the simple rules.
Expert rules proved to be quite effective, helping to address situations such as proliferating check fraud. Indeed, some of these expert rule-based solutions are still useful today.
As time went on and the volume of electronic information related to financial services continued to increase, the industry began to leverage statistical inference to more effectively handle risk. Subsequently and most recently we have seen a shift to using machine learning and artificial intelligence (AI) for fraud detection purposes. While the use of these technologies for fraud detection may seem revolutionary to some, it’s actually no surprise given the industry’s propensity to quickly adapt the latest technologies to the fight against financial crime.
Taking a look at today
Modern banking has evolved into an always-on, omnichannel operation; whether opening an account, checking a balance or moving money with a mobile device, customers expect a frictionless, secure interaction.
The delivery of these modern banking experiences must be balanced against fraud that is fast-moving, automated, and perpetrated with sophisticated technology tools designed to bypass traditional controls.
Financial institutions are compelled to innovate to keep up with a rapidly changing landscape and increasingly innovative criminals. Institutions are seeking new ideas, solutions and approaches through the use of data, analytics, machine learning, AI technologies and more.
Even the most advanced technology is not enough to effectively combat financial crime on its own.
Leveraging these techniques has become key to managing financial crime risk and to the operational management of financial crime alerts, allowing detection of financial crime to become more precise and less disruptive of legitimate transactions. This helps financial services providers to balance risk management obligations with the delivery of a better customer experience, which is critical in a highly competitive financial services world.
Embracing a new path going forward
Institutions have begun to embrace the reality that effectively tackling financial crime requires applying new approaches, strategies, and insights; further investing in technology and innovation; developing new skills, and fostering collaboration within their internal financial crime units as well as externally with technology vendors and regulators.
For enhanced financial crime risk management, many are moving to converge anti-money laundering (AML), fraud, and information security functions to some degree to take advantage of shared intelligence and economies of scale in the tools that they use. This includes forming partnerships across those functions, realigning technology and organisational restructuring.
As institutions seek new solutions, ample opportunities exist for innovative technology providers. With deep expertise in technology, data science, analytics and integration projects, providers can become valued and trusted partners offering sage advice as financial service providers navigate their transformation journey.
The solution to defeating financial crime lies in a combination of the right technology, trusted data, and human intelligence, along with greater collaboration. The financial services industry has really only scratched the surface of what can be achieved, and the next decade will see further developments in this movement. Increased automation, simplified operational processes, and more detailed and less costly analytics create great potential for enhanced transparency while maintaining or improving personal privacy and security of financial activity.
Financial crime technology continues to evolve. Yet even the most advanced technology is not enough to effectively combat financial crime on its own. The future of financial crime detection, prevention and mitigation will be built on new approaches to deployment, a commitment to internal and industry-wide collaboration, and the ongoing implementation of new ideas. Enabling a balance between people, process and technology is critical to maximising return on technology investment and delivering heightened security in an ever-changing world.
Refinitiv, one of the world’s largest providers of financial markets data and infrastructure, has published its second annual financial crime report today. Innovation and the fight against financial crime: How data and technology can turn the tide highlights that almost three-quarters (72%) of organisations have been victims of financial crime over the past 12 months with a lax approach to due diligence checks when onboarding new customers, suppliers and partners cited as creating an environment in which criminal activity can thrive. This wake-up call has led to 59% of companies adopting new technologies to plug compliance gaps.
In its 2018 report, Refinitiv outlined that $1.45 trillion of aggregate turnover is lost as a result of financial crime. This year’s report shows that the cost could indeed be much greater. Only 62% of the 3,000 compliance managers Refinitiv surveyed across 24 geographies claimed that financial crimes were reported internally, and just 60% said that they were reported to the relevant external organization.
Over the next year, companies are intending to spend on average 51% more to mitigate the crisis. The increased investment emphasises the priority placed on fighting financial crime in 2019 and reflects the amount of pressure respondents are under to be more innovative to both reduce risk and costs.
According to the report, an overwhelming majority of respondents (97%) believe that technology can significantly help with financial crime prevention with cloud-based data and technology the top choice, followed by AI and Machine Learning tools. Technology-driven solutions, such as Artificial Intelligence and Machine Learning, are already allowing businesses to implement processes and check up to millions of customer and third-party relationships, more quickly and efficiently.
Phil Cotter, Managing Director of the Risk business at Refinitiv, said the results showed that businesses need to do more to invest in technology to address the problem: “It is clear from the results of this report that businesses exposed to financial crime threats need to maximize their use of technology and future collaboration could prove key to realising the potential of innovation, particularly between tech companies, governments and financial institutions.
“Significant advancements in technology, facilitated by innovations such as AI, ML and cloud computing, are already under way. These technologies are enabling intelligence to be gathered from vast and often disparate data sets which together with rapid advances in data science, are transforming the approach to compliance, streamlining processes such as Know Your Customer (KYC) and helping to uncover previously hidden patterns and networks of potential financial crime activity.”
While the report focuses on the many emerging technologies coming on stream in the fight against financial crime, it also urges organisations not to overlook another vital form of innovation – collaboration. Just over eight in 10 (81%) respondents said that there is some sort of existing partnership or taskforce in their country to combat financial crime. 86% believe that the benefits of sharing information within such a partnership organization outweighs any possible risks.
In 2018, Refinitiv partnered with the World Economic Forum and Europol to form a global Coalition to Fight Financial Crime. The Coalition is working with law enforcement agencies, advocacy groups, and NGOs to address the societal costs and risks that financial crime poses to the integrity of the global financial system.
Much that has been written about the General Data Protection Regulation (GDPR) relates to the burden of obtaining proper consents in order to process data. This general theme has provoked questions about whether and how financial institutions can process data to fight financial crime if they need consent of the data subject. While there are certainly valid questions, GDPR is much more permissive to the extent data is used to prevent or monitor for financial crime. Richard Malish, General Counsel at Nice Actimize, explains.
Clients and counterparties will oftentimes be more than happy to consent to data processing in order to participate in financial services. But consent can be withdrawn, so offering individuals the right to consent will give the impression that they can exercise data privacy rights which are not appropriate for highly-regulated activities.
Rather than relying on consent, the GDPR also permits processing which is necessary for compliance with a legal obligation to which the controller is subject and (2) processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Some areas of financial crime prevention are clearly for the purpose of complying with a legal obligation. For example, in most countries there are clear legal obligations for monitoring financial transactions for suspicious activity to fight money laundering. The European Data Protection Supervisor stated in 2013 that anti-money laundering laws should specify that "the relevant legitimate ground for the processing of personal data should… be the necessity to comply with a legal obligation by the obliged entities…." The 4th EU Anti-Money Laundering Directive requires that obliged entities provide notice to customers concerning this legal obligation, but does not require consent be received. And the UK Information Commissioner's Office gave the example of submitting a Suspicious Activity Report to the National Crime Agency under PoCA as a legal obligation which constitutes a lawful basis.
Very few commentators have attempted to cite a legal authority for anti-fraud legal obligations. The Payment Services Directive 2 (PSD2) requires that EU member states permit personal data processing by payment systems and that payment service providers prevent, investigate and detect payment fraud. But PSD2 has its own requirement for consent and this protection may fail without adequate implementing legislation in the relevant jurisdiction. Another possible angle is that fraud is a predicate offense for money laundering, and therefore the bank has an obligation to investigate fraud in order to avoid facilitating money laundering.
"Legitimate interests" are also permitted as a basis for processing. However, this basis can be challenged where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Financial institutions may not feel comfortable threading the needle between these ambiguous competing interests.
However, the GDPR makes clear that several purposes related to financial crime should be considered legitimate interests. For example, "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest" and profiling for the purposes of fraud prevention may also be allowed under certain circumstances. It is also worth recognizing that many financial market crimes such as insider trading, spoofing and layering are oftentimes prosecuted under anti-fraud statutes.
Compliance with a foreign legal obligations, such as a whistle-blowing scheme required by the US Sarbanes-Oxley Act, are not considered "legal obligations," but they should qualify as legitimate interests.
While legal obligations and legitimate interests do not cover all potential use cases, they should cover most traditional financial crime processing. Some banks have been informing their clients that a legal obligation justifies their processing for AML and anti-fraud. Others have included legal obligations and/or legitimate interests as potential justifications for a laundry list of potential processing activities.
Financial institutions should use the remaining days before GDPR's effective date to provide the correct notifications to data subjects and confirm that their processing adequately falls under a defensible basis for processing. And with this basic housekeeping performed there is hopefully little disruption to their financial crime and compliance operations.
Óscar Hernández has spent the last 11 years working in the Forensic department of Deloitte. His current position is Director, with a primary focus on financial fraud investigations and the preparation of expert witness reports, as well as the defence of the expert report in the Court (during the judgement).Here, Óscar talks to Finance Monthly about financial crime in Spain, recent changes to the criminal justice system and offers advice for companies on how they can protect themselves from fraud.
Financial crime is becoming more and more prevalent - what legal remedies are available to businesses that fall victim to financial crime, especially fraud?
In Spain both the legislation and the sensitivity of companies, especially some financial institutions, despite the improvements, are still very far from those in other neighboring countries, such as the United Kingdom, Germany or Switzerland. There is still no developed fraud prevention culture in Spain, which is why companies tend to act only reactively. In order for the damage suffered to be mitigated as far as possible, from the instant the fraud is identified, the company must put itself in the hands of its legal advisors. From a forensic point of view, it is essential to preserve the evidence of the possible crime in order to face possible legal proceedings that could be initiated and aimi to mitigate as much of the economic damage suffered by the company as possible.
How has the criminal justice system changed in recent years to combat the increased sophistication of fraud? What have been the significant changes?
The Criminal Code has been modified in recent years in order to provide judges and prosecutors with more powerful tools for the fight against corporate fraud and organized crime. Among other reforms, the assignment of criminal liability for legal persons, modified penalties for fraud and revised punishment for corruption in business (payment of bribes to politicians and officials) stand out. Although there is a social environment that is very sensitive to the many cases of political corruption that affect many institutions, there still exists some tolerance and permissiveness in relation to the submerged economy. These newly introduced reforms are on the right track, but still not enough.
What are the trends in Spain, in terms of the types of financial crimes that are being committed? What factors drive crime in certain sectors, for example the financial sector?
The most relevant fraud cases in Spain are closely related to political corruption. This corruption is intimately linked to corporate corruption and bribery, with the ultimate goal of achieving public work awards circumventing the legal awarding procedures based on quality and price. With regards to the financial sector, since the beginning of the financial crisis almost ten years ago, there have been a number of financial scandals related to the management of Savings Banks. Many of those entities have disappeared as a result of the crisis itself, but also due to ruinous investments made by the former management, payment of millionaire pensions and unjustified expenses.
What precautionary measures can companies take to protect themselves against fraud?
The reform of the Criminal Code and the attribution of criminal responsibility to legal persons have led to greater awareness of the companies’ Boards of Directors against financial crime. A greater development of proactive fraud prevention policies is being noted, especially in large companies, with the proliferation of Ethical Codes, Whistleblower channels and action protocols for fraud situations.
What are the complexities and challenges of investigating accounting irregularities?
Most of the fraud investigations related to accounting manipulation in Spain are mainly aimed at the upward manipulation of revenues, with different objectives such as achieving budgeted results or EBITDA, that are linked to the variable compensation of the Management, the makeup of the results for the possible sale of the company, etc. The investigation of these irregularities is very thorough and is based, most of the times, on the use of technological tools focused on communications review and data analytics.
What are the specific challenges that you are typically faced with when working on financial crime cases?
In recent years, fraud investigations have become increasingly complex. The fraudsters are getting more and more “professional”, which on many occasions forces us to adapt the investigation strategy on the fly and introduce even more technology in the investigations. It is becoming more necessary to have an open-minded attitude in order to be able to put ourselves in the fraudster’s shoes.