Financial institutions (FIs) continue to spend more and more money on fraud tools, with seemingly no end in sight. Every time fraud increases, so does spending. But this, paired with the fact that fraud continues to rise, indicates the approach financial institutions are taking is flawed, says David Vergara, Director of Security Product Marketing at OneSpan. British banking customers lost £500m to fraud in the first half of 2018, and new figures from Action Fraud show that more than £190,000 a day is lost in the UK by victims of cyber-crime. We’re also seeing newer types of fraud gain momentum, such as contactless fraud, which doubled in just 10 months in 2018.

The Home Office estimates there is £14.4bn worth of economic crime within the UK's financial sector each year. And a recent report by the Financial Conduct Authority estimates the financial services industry is spending over £650 million annually in dedicated staff time to combat fraud and other financial crimes. This excludes costs such as IT investments in fraud prevention and detection, so in reality, the number is likely far higher. Achieving the goal of driving down fraud, while ensuring the best user experience and meeting strict compliance regulations, continues to be a major challenge for the industry.

On the other hand, technology is often a bank’s first line of defence against fraud. A Juniper Research report on online payment fraud said merchants and FIs will spend £7.2 billion annually on fraud detection and prevention tools by 2022. There are several challenges that come with this. One big part of the problem is that banking environments are becoming harder to defend, and computing environments which are already inherently complex only become more complex with the integration of new technologies.

Another problem is solutions overload: there are over a thousand vendors competing to sell security solutions to financial institutions, with a seemingly limitless variety of claims and undifferentiated value propositions. Unsurprisingly, vendor procurement is a daunting task: approval can take more than a year, implementations typically take six months or longer, and often, various solutions are not designed to work in harmony with existing platforms and technologies.

A recent report by the Financial Conduct Authority estimates the financial services industry is spending over £650 million annually in dedicated staff time to combat fraud and other financial crimes.

Meanwhile, the nature and sophistication of attacks against FIs, especially in online and mobile channels have reached new heights, making it increasingly clear that fraud is not something that can be easily contained. For example, PwC’s 2018 Global Economic Crime & Fraud Survey reported a shift to technology-enabled crime, with cybercrime overtaking all other methods to secure its place as the most prevalent type of fraud.

To address the challenges and stop the loss of billions to fraud each year, banks and financial institutions need a profoundly innovative approach, one that leverages vast cross-channel data and mitigates fraud in real-time. This should make use of modern machine learning algorithms, behavioural analysis, and automated policy-driven workflows to reduce fraud, through more accurate detection of emerging fraud schemes and continuous monitoring to satisfy regulatory compliance. Also, open platforms that leverage APIs to connect to third-party data sources to further improve the accuracy of fraud detection, boosting the bottom line.

Intelligent authentication is one of the latest innovations that helps FIs to achieve these goals. Intelligent authentication works through a comprehensive risk score based on vast and disparate data, including transaction details, end-user behaviour, the integrity of their devices and mobile apps, and other contextual data points. So, for example, it can recognise that a customer regularly transfers £200 to the same account each month from the same mobile phone in Manchester. The score and related level of risk for this transaction are based on the customer’s unique behaviour and context.

To address the challenges and stop the loss of billions to fraud each year, banks and financial institutions need a profoundly innovative approach, one that leverages vast cross-channel data and mitigates fraud in real-time.

Why is this information important? Because, if it now appears that the same customer is trying to send £1,000 to a new account from an untrusted device in Paris, which falls outside his usual scope and contextual pattern, the transaction is more likely to be an attempt at fraud. However, people don’t live in boxes: it’s entirely possible that they travelled to another city.

Therefore, instead of denying the transaction, intelligent authentication challenges the consumer accordingly: they are granted conditional access to particular account features, such as larger funds transfers. If they can pass the security hurdle and authenticate, then they can proceed with the transfer. As customers’ contextual patterns and circumstances evolve, the technology is intelligent enough to recognise these changes and adapt. To achieve greater security and superior user experience, banks and FIs need to put these new technologies practices into motion now.

Ultimately, mitigating fraud requires keeping up with the latest technologies that will enable financial institutions to more effectively and efficiently mitigate both existing and quickly emerging fraud schemes. By delivering a strong, consistent user experience across digital channels, today’s FIs will continue to grow revenue, bring new solutions to market fast and quickly exceed customer expectations, all of which will drive higher services utilisation and loyalty.

The blunt truth is, insiders who are close to critical systems—or outsiders who are skilled enough to exploit vulnerabilities in anti-fraud and other security controls—will steal. They may target assets they’re entrusted to protect or cook the books to hide their tracks; in the end both types of fraudsters aim to make off with significant money. Here Chris Camacho, Chief Strategy Officer at Flashpoint, offers expert insight into fighting fraud right on your business’ doorstep.

Fraud persists, and frankly, it’s not realistic to believe businesses can take measures that will permanently eradicate it. Fighting fraud, however, doesn’t have to be in vain.

Get inside the adversary’s head

Anti-fraud systems may be effective and getting better, but they’re not going to deter a profit-motivated criminal. The challenge then becomes an exercise in anticipating the fraudster’s next move. In order to get inside an adversary’s head, anti-fraud professionals must consider what incentivises a fraudster and what their targets could be. In most cases, this is a simple exercise: credit card data, personally identifiable information (PII), user account login credentials, and other types of proprietary data and information are common targets.

It’s also imperative to consider how fraudsters might attempt to hurdle existing controls in order to access your business’ assets. Multi-factor authentication may protect some payment card transactions, but what about gift cards, for example. Unlike bank-issued credit and debit cards, gift cards are generally not held to strict anti-fraud standards, which is largely why they are a desirable asset among many fraudsters. Illicit vendors selling stolen gift cards have become commonplace on the Deep & Dark Web (DDW) in recent years, leading to an uptick in instances of gift card fraud.

Thinking like a fraudster means considering all of the options available to an attacker and admitting that certain systems or processes may be flawed. Proactively identifying and addressing any weaknesses in existing anti-fraud programs—such as what fraudsters determined are often present within gift card security controls—can help businesses better anticipate and prepare for fraud.

Thinking like a fraudster means considering all of the options available to an attacker and admitting that certain systems or processes may be flawed.

Have eyes and ears on DDW fraud forums

Thinking like a criminal is only one part of this strategy. To accurately anticipate how your company, your peers, or your industry is being targeted, it’s important to have insight into the conversations and behaviours of those perpetuating fraud. Not all organisations are going to have proper visibility into these realms, therefore it’s important to have a trusted partner with eyes and ears on the DDW, for example.

Certain DDW forums focus on fraud, and on these forums, certain trends emerge. For example, discussions related to the lax anti-fraud controls of gift cards eventually manifested in a spike in gift card fraud.

Many fraudsters’ ever-evolving tactics bear little resemblance to the tried-and-true fraud schemes with which most businesses are familiar. Although countless variations of credit card fraud, for example, are generally well-known and well-mitigated in the financial services and retail industries, many businesses continue to incur substantial losses from lesser-known types of fraud. In addition to gift card fraud, refund fraud, health savings account fraud, and rewards point fraud are only a few of many such examples that were initially conceived within the cybercriminal underground before posing a threat to businesses.

The DDW can be a rich source of insight into emerging fraud tactics and schemes. But because accessing and engaging within these online communities can be challenging and risky without the proper expertise and protections, businesses are encouraged to work with reputable intelligence vendors to more effectively, easily, and safely gain visibility into the cybercriminal underground.

Just as fraudsters are extremely resilient, persistent, and resourceful, businesses, too, should seek to emulate these characteristics when fighting fraud. This means approaching fraud from new perspectives, learning about emerging schemes and tactics proactively.

Keep track of regional ties and variations

Analysts have tied different types of fraud certain regions such as Eastern Europe, forcing businesses go to great lengths to gain insight into new schemes and tactics. These types of insights are critical for establishing countermeasures, the most effective of which typically account for the social, cultural, and linguistic nuances known to characterise fraudulent activity originating in certain regions.

But in recent years, new cybercriminal communities and, as a result—new tactics and types of fraud—have quickly emerged in many more regions. Latin America is one such example. While fraudsters in Latin America have long been considered unsophisticated, unorganised, and unlikely to pose any substantial threats to businesses, this community has since evolved substantially. Many businesses that previously had no reason to monitor the Spanish-language cybercriminal underground are now striving to understand and combat threats originating from fraudsters in Latin America. And given that threats and indicators can vary substantially across different regions and communities, keeping track of these variations and new developments is a must for businesses and anti-fraud teams.

Assessment

Just as fraudsters are extremely resilient, persistent, and resourceful, businesses, too, should seek to emulate these characteristics when fighting fraud. This means approaching fraud from new perspectives, learning about emerging schemes and tactics proactively, and seeking third-party services and expertise when necessary. While businesses have little control over the existence of fraud, they can control the extent to which they prepare for and mitigate this ever-evolving threat.

Below Puneet Taneja, Head of Operations at Teleperformance, discusses with Finance Monthly how banks can prevent, detect and protect against fraud.

Trade body UK Finance reports that over £500 million was lost to fraud in the first half of 2018. What is particularly worrying is that of the £500 million lost to fraud, over £385 million was lost with no knowledge or authorisation from the account holder¹.

This news seems to cement current fears that fraudsters are becoming increasingly more sophisticated in their efforts to rob banking customers and overcome current financial security and anti-fraud measures. The rise of cybercrime has led to a new generation of fraudsters using technology to come up with new and innovative ways to steal hundreds of millions of pounds from customers, all while remaining undetected.

Although this may be stating the obvious, identifying, investigating and ultimately preventing fraud must continue to be a high priority. When banks consider the technology implementation necessary to drive banking innovation forward, this initiative is still in its infancy, with banks always striving to be on top of the latest and most effective methods to overcome fraudulent activity.

A reassessment of banking technologies and systems is the key to safeguarding customer accounts.

It’s all well and good to harness the power of existing technologies and data analytics to spot irregular data patterns to highlight suspicious transactions but this is only half the story. Employing a greater number of customer service agents who can aid in the risk management process can similarly help banks pre-empt fraud and treat the causes of financial loss, as opposed to the symptoms.

Overcoming fraudulent losses has the natural flow-on effect of boosting customer satisfaction, one of the key factors to banks’ long-term financial health. If customers view banks as being up to date on the relevant technologies to keep on top of inbound fraud, reputational equity builds and so too does customer satisfaction. This relies on banks being able to tackle the issue of fraudulent transactions in real time, in a proactive manner, rather than taking a reactive approach.

Using real-time anomaly techniques to spot suspicious transactions, financial institutions can achieve an astounding 92 percent reduction in fraud losses; in one instance, a UK national bank saved £3.54 million annually from credit and debit card fraud by using analytics technology.

Not only are banks being able to mitigate the financial consequences but also the reputational repercussions from those who have fallen victim. Naturally, it can be very damaging to any organisations reputation when the media publishes an incident involving fraud. Banks need to ensure that customers appreciate the back-office efforts that are put into place to not only prevent fraud, but also support customers who fall victim to fraud.

Nevertheless, fraud is an inescapable risk associated with performing financial services and banks have a responsibility to be well prepared on how they respond to fraudulent activity. From a customer services standpoint, the main driver of this preparedness comes from banks needing to be seen as being on the customer’s side. This concerns being prepared to help consumers through financially troublesome times, like when they fall prey to fraudulent activity. This is an integral part of banks’ customer service efforts.

Overcoming fraud is a nation-wide effort that every organisation in the industry is currently attempting to accomplish. Eliminating fraudulent activity altogether may not yet be possible but firms have the technology available to make a significant difference. Considering a fraud prevention systems overhaul may the key driver to banks detecting fraud faster and more efficiently than in recent times.

With the indictment of two former senior Goldman Sachs bankers, accused by US prosecutors of paying bribes, stealing and laundering money from a Malaysian sovereign-wealth fund, the Wall Street giant finds itself at the center of one of the world's largest-ever financial scandals.

Money laundering is a pan-European problem, with 90% of the continent’s biggest banks having been sanctioned for money laundering offences, new research by anti-money laundering (AML) experts Fortytwo Data shows.

The firm found that at least 18 of the 20 biggest banks in Europe - including five UK institutions - have been fined for offences relating to money laundering within the last decade, many of them within the last few years - an indication of how widespread money laundering has become.

Recent crises at the likes of ING, Danske Bank and Deutsche Bank only reinforce this impression, demonstrating how no bank is immune to money laundering sanctions, no matter how large.

All 10 of the biggest banks in Europe are known to have fallen foul of the AML authorities - HSBC, Barclays and Lloyds from the UK, French quartet BNP Paribas, Crédit Agricole Group, Société Générale and Groupe BPCE, Germany’s Deutsche Bank, Santander of Spain and Dutch bank ING.

Others to have been fined in recent years are the British banks RBS and Standard Chartered, Italy’s Intesa Sanpaolo SpA, UBS Group and Credit Suisse of Switzerland, Spain’s Banco Bilbao, Dutch institution Rabobank, and Nordea Bank of Sweden.

All five major UK banks - HSBC, Barclays, Lloyds, RBS and Standard Chartered - have been fined for money laundering offences. Earlier this year, Donald Toon, director of prosperity at the National Crime Agency, admitted in a Treasury Meeting that money laundering in the UK is “a very big problem” and estimated that the amount of money laundered here each year has now risen to a staggering £150 billion.

Banks and financial services companies have faced an uphill struggle to move onto more advanced AML platforms as they often attract a price tag running into tens of millions of pounds, potentially hundreds of millions once the cost of integration, operation and maintenance have been factored in.

More advanced augmentation platforms have moved the conversation on in the last few years, creating opportunities for companies to improve the efficiency of their AML processes at vastly reduced cost, while still using data stored in legacy systems.

Julian Dixon, CEO of Fortytwo Data, comments: “It is clear Europe’s largest banks are collectively struggling having problems when it comes to anti-money laundering standards. The increasing sophistication of the money launderers makes this an ever more difficult task.

“Money should not be laundered on their watch. However, standards must be maintained. The fact that almost all of Europe’s 20 biggest banks are known to have failed to comply with AML regulations is a troubling finding.

“These days, there are effective solutions to be found. Technology has reached a level where it can vastly improve the efficiency of suspicious activity detection and all major banks have a responsibility to embrace 21st Century solutions to this problem, rather than continuing with outdated legacy systems.

“The UK has an opportunity now to lead the way and set a higher benchmark for others. That £150 billion is known to be laundered here every year is a problem that needs to be addressed and if we can clean up our act, others will be compelled to follow our example.”

(Source: Fortytwo Data)

On the back of Deutsche Bank’s recent ordeal, Finance Monthly gets the lowdown from Zac Cohen, General Manager at Trulioo, who discusses the steps banks and other financial institutions can take to strengthen their fight against money laundering.

Deutsche Bank recently made headlines after the German financial watchdog BaFin appointed an independent auditor to monitor the bank’s Anti Money Laundering (AML) compliance. This is the first time such an appointment has been implemented, highlighting the bank’s failure to meet due diligence requirements surrounding terrorist financing, money laundering and other illicit flows of capital.

As banks and financial organisations now operate in an increasingly global marketplace, they must grapple with the consequences of handling cross border transactions. Having lax Know Your Customer (KYC) procedures in place can be potentially crippling for banks worldwide, with fines being issued in the hundreds of millions if chinks in their anti-money laundering armour are uncovered.¹ Yet despite over $20 billion being spent on compliance annually, only 1 per cent of illicit transactions are seized each year.²

Financial globalisation, still very much a reality despite shifting geo-political attitudes towards it, makes international money laundering practices a real force to be reckoned with. Indeed, international money laundering is becoming more widespread and this is, in part, down to the difficulties in maintaining full transparency when dealing with international clientele.

Banks and other financial institutions are legislatively obliged under Anti-Money Laundering rules to have full knowledge over their clients’ identities and the origins of their wealth. With money coming in from all corners of the globe, banks must be able to perform Know Your Customer (KYC) and Know Your Business (KYB) checks on a client base that may be moving money all around the world. In addition, establishing a “beneficial owner”, a derivative of KYC, must be a priority before financial transactions occur. The 4^th Anti Money Laundering Directive (4AMLD) stipulates the necessity of ascertaining the beneficial owner of business customers, partners, suppliers and other business stakeholders. Some transactions, originating from unknown geographic localities, can be particularly difficult to verify.

The key to combatting this problem is leveraging the available technologies that can be implemented to help promote transparency. This is crucial as these technologies have the view to reducing the occurrence of fraudulent transactions passing through banks and financial institutions. Bad actors are becoming increasingly sophisticated in their techniques in directing fraudulent money through banks, employing techniques such as under- or over-invoicing, falsifying documents, and misrepresenting financial transactions. This increasing sophistication that coincides with the rise in global money laundering, up 12 per cent from the previous year.³

There are however, multiple technical advances that are available to help implement and streamline the process of checking and verifying ultimate beneficial owners and promoting transparency. Automated systems and artificial intelligence programmes can be used to scour company documents for a streamlined electronic ID verification sytems to verify personally identifiable information in conjunction with ID document verification and facial recognition technology to help paint a full picture of each beneficial owner of a business.

Putting this all together to create certainty and transparency about who you’re doing business with is crucial. Deutsche Bank have suffered severe reputational damage as a result of several anti-money laundering breaches that have reached the public’s attention over the last few years. The question remains, can banks implement the technology and processes they need with sufficient effectiveness to recover from this reputational strain?

1 https://www.reuters.com/article/us-deutsche-bank-moneylaundering-exclusi/exclusive-deutsche-bank-reports-show-chinks-in-money-laundering-armor-idUSKBN1KO0ZC

2 https://www.politico.eu/article/europe-money-laundering-is-losing-the-fight-against-dirty-money-europol-crime-rob-wainwright/

3 https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey.html

Zac Cohen, General Manager at Trulioo, discusses the key considerations for businesses before engaging in commerce in high-risk countries.

Doing business internationally is a complicated undertaking. Aside from the standard logistical challenges associated with doing business globally, organisations have to factor in considerations specific to different regions and countries. These considerations may include factors such as legislative, political, currency and transparency challenges.

Nevertheless, globalisation is storming ahead and businesses must be prepared to look beyond their domestic surroundings if they are to remain competitive in our global marketplace. International trade secretary Liam Fox has endorsed a move for UK-based businesses to adopt a more international focus, highlighting the importance of global competitiveness. Consequently, UK businesses are feeling the pressure to ramp up their efforts to target a more international consumer base. As if this wasn’t enough for international businesses and investors to grapple with, further complications and difficulties are liable to arise when doing business with “high risk” countries.

1. Fraud and Corruption

A recent study by the World Bank estimated that an extra 10 per cent is added to the cost of doing business internationally as a direct result of bribery and corruption.¹ Considering the immense amount of international trade, this figure is significant. The danger of doing business with countries considered to be “high risk” – defined by the Financial Action Task Force (FATF) as any country with weak measures to combat money laundering and terrorist financing – is the heightened potential of inviting transactions that are either fraudulent or otherwise corrupt.¹ The following considerations should be carefully observed before entering into any commercial dealings with a country considered to be high-risk.

2. Enhanced Due Diligence

As a result of the 4^th Anti Money Laundering (AMLD4) directive, developed by the European Union, businesses have to adopt a risk-based outlook. The AMLD4 specifies that EU-based businesses must collect relevant official documents directly from official sources like government registers and public documents, rather than from the organisation in question. If a potential trading partner is located in a high-risk country, or serves an industry that has a higher than normal risk of money laundering, then that partner must conduct Enhanced Due Diligence (EDD) on the business entity. This Enhanced Due Diligence process involves additional searches that must be carried out by any firm seeking to do business with this kind of organisation. These searches may include parameters such as the location of the organisation, the purpose of the transaction, the payment method and the expected origin of the payment.

3. Ultimate Beneficial Owners

AMLD4 also outlines the need to discover the ultimate beneficial owner of a business, whether they are customers, partners, suppliers or connected to you in another business relationship.

According to the Financial Action Task Force (FATF),

Beneficial owner refers to the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.

This is important as businesses need to understand who they are dealing with when physical verification is not a practical option. Difficulties could arise when verifying UBOs in high-risk countries as some national jurisdictions impose secrecy policies which block access to verification documentation. This problem is compounded when checking UBOs against international sanction and watch lists as there are more than 200 lists, which vary in scale and uniformity.

4. Virtual Identification

However, verification can still be successful. Many are now turning to software that helps businesses to perform the necessary diligence checks. We gave a lot of consideration to the specific complexities of working with high-risk countries when developing our Global Gateway platform. Programmes such as these are designed to allow companies to perform the Enhanced Due Diligence, Know Your Business and Know your Customer checks that are required when doing business internationally, particularly with high-risk countries. Compliance with the various pieces of legislation on this topic should be at the forefront when implementing the necessary verification checks.

Across the world, markets are becoming increasingly more open, paving the way to a truly global economy. If companies can get to grips with the key due diligence requirements, this is a move that will ultimately benefit the global consumer and customers alike.

With Governments increasingly aware of the moral and fiscal costs of white-collar crime, the Dutch crime authority’s decision to hit ING, the Netherlands largest financial services provider, with fines totalling €775 million is of little surprise.

Tackling money laundering is currently high on the national and international agenda of many countries; the EU recently proposed providing the European Banking Authority with greater powers to sanction banks of member states that may be implicated in such activity.

In the case of ING, the bank has been forced to pay out the substantial fine for failing to flag abnormal transactions, and financing terrorism “structurally” by not verifying the beneficiaries of client accounts. The Dutch public prosecution service said that it found “clients were able to use accounts held with ING for criminal activities for many years, virtually undisturbed” from 2010 to 2016. The settlement, which is the largest ever imposed on a company by the Dutch prosecution service, is made up of €675 million in fines, and €100 million as the return of illicit gains intended to deter future violations.

The bank’s CFO has since announced his decision to step down following growing backlash. In addition, measures against ten employees were taken, ranging from dismissals to clawing back bonuses, with the prosecutor accusing the bank of “culpable money laundering”.

This is not a stand-alone case either; watchdogs have clamped down on Credit Suisse and Danske Bank this month over similar money laundering concerns. With authorities prepared to take a hard-line stance against money laundering, there will be severe reputational and financial consequences for organisations which – however unintentionally – enable this offence.

The focus is not simply on the culprits of money laundering, but on ensuring perpetrators have fewer tools to commit such crimes. The relevant authorities will increasingly take a punitive approach to financial institutions with lax crime prevention strategies. Financial institutions, whatever their size, must ensure their tools are inaccessible to those seeking to commit financial crime, or otherwise face extensive fines comparable to ING’s.

This is no easy task and requires a significant investment of time and resource. Banks must ensure they have robust financial crime compliance strategies and programmes in place with appropriate training to reduce risk and mitigate the consequences. This was a point that was not lost on Ralph Hamers, ING’s CEO, who stated that “although [ING’s] investment … [has] been increasing since 2013, they have clearly not been to a sufficient level”.

However, matters should not stop there; processes require frequent review given that criminals adopt increasingly sophisticated strategies to commit offences. Banks, therefore, must remain proactive and vigilant. To this end, the Dutch prosecutor noted that ING’s compliance department “was understaffed and inadequately trained”. In the case of ING, compliance failures were exploited by clients for years for money laundering practices before it was detected.

Effective streamlined processes, such as customer screening and alert processing, informed by risk assessments and financial crime regulations should leave little room for error during due diligence activities.

Iskander Fernandez, White Collar Crime Expert and Partner at commercial law firm BLM

Finance Monthly speaks with Alma Angotti - Managing Director and Co-head, of Navigant Consulting, Inc.’s Global Investigations & Compliance practice, based in the company’s Washington DC office. With her 35 years of public and private sector legal, regulatory, and consulting experience, Alma currently works with financial institutions to, among other things, help them develop, implement, assess, and enhance anti-money laundering (AML) and counter-terrorist financing (CTF) compliance programs required under the Bank Secrecy Act (BSA). She provides BSA/AML/CTF and Sanctions training. She also assists financial institutions in designing their own BSA/AML/Sanctions training policies and programs, conducts investigations and transaction look backs and provides training on AML compliance, examinations, and investigations to regulators globally.

In your opinion how robust is current anti-money laundering (AML) regulation? Is there anything that could be improved?

Legislatively speaking, the current US AML laws are robust.

One important gap in the AML laws is that Investment Advisers are not currently required to comply with the BSA. Investment Advisers sometimes have implemented AML compliance programs as a matter of best practice, but they have no obligation to file Suspicious Activity Reports. Because there is no enforcement mechanism, it is unclear how effective their programs are at detecting money laundering, terrorist financing, and other financial crime. There is a rule proposal that has been pending for several years. I think this is a risk area for the US and global financial systems.

Another area for potential improvement includes a legislative mandate for all companies registering in the US to include beneficial ownership information as part of the registration process and better cooperation among secretaries of state to assist in the identification of potential shell companies and corporations. Requiring the identification and information on the ultimate beneficial owner of a company deters shell companies and corporations from misusing registration systems and entering the US financial market. Understanding the beneficial owner of a customer account, or the ultimate beneficial owner of a financial transaction, are key elements for financial institutions to understand their customers and assess customer risk appropriately. Additionally, if the customer engages in suspicious behaviour, or suspicious transactions, knowing the ultimate beneficial party is integral to any potential law enforcement investigation.

Another area needing enhancement is the ability to share information with law enforcement and between financial institutions more easily. There is currently a US House bill introduced on this subject, H.R. 5783, the Cooperate with Law Enforcement Agencies and Watch Act of 2018. This bill limits a financial institution’s liability for maintaining a customer account in compliance with a written request by a federal, state, tribal, or local law enforcement agency. Additionally, the federal or state agency may not take an adverse supervisory action against a financial institution with respect to maintaining an account consistent with this request.

Beyond legislation and regulatory rule-making, however, consistent and robust enforcement of existing laws, rules, and regulations is critical to ongoing compliance by financial institutions.

What are the current AML issues and solutions affecting businesses and individuals operating in the US?

Some emerging issues that will impact financial institutions are the wider use and holding of cryptocurrencies, virtual currency exchanges (VCEs) looking for banking services, and issuers of initial coin offerings (ICOs) looking for broker-dealer and clearing platforms. Many banks and broker-dealers are de-risking and not providing banking services to VCEs and other high-risk clients (e.g. companies in the medical marijuana industry and customers holding penny stock portfolios) to save on BSA/AML/Sanctions compliance costs. As US regulators of financial institutions rush to regulate these emerging trends, financial institutions are struggling with how to take on these risks without running afoul of ever-changing regulatory expectations.

BSA/AML/Sanctions compliance related to cryptocurrency transactions and performing appropriate due diligence to know your customer when onboarding a VCE is further complicated in the US by the lack of a consistent regulatory definition of cryptocurrency. While many countries view cryptocurrency as currency or legal tender, the US regulatory authorities and law enforcement currently do not agree on whether it is legal tender, a security, or something else. For example, in a 2013 Guidance, FinCEN defined virtual or cryptocurrency as a ‘medium of exchange’ that operates like a currency in some environments but does not have all the attributes of real currency or operate as legal tender in any US jurisdiction. Whereas in 2016, the SEC suggested that cryptocurrency is a security. The Commodity Futures Trading Commission currently believes that it is a commodity, while the IRS views Bitcoin and the like as property that should be taxed.

Regarding ICOs, issuers are coming to consultants like Navigant to help understand unclear regulatory requirements, and broker-dealers are seeking advice on how to underwrite these issuers or onboard ICO companies to their platforms while continuing to comply with BSA/AML/Sanctions compliance laws, rules, and regulations.

What are the AML challenges affecting businesses operating cross-border transactions?

Growth in the volume of cross-border transactions, and greater integration of the world’s economies, have increased the risks that banks and financial institutions face in processing these transactions. Most financial institutions, however, still face challenges that diminish the efficiency and effectiveness of their AML/CFT programs such as: poor data quality and fragmented data sources; outdated technology; poorly tuned transaction-monitoring systems, resulting in high rates of false positives; and the continuous launch of new and complex products and services.

Another major challenge to businesses operating cross-border transactions is the advent and use of mobile payment processing services, and the use of mobile phone payment services, to pay third parties. Millennials are leading this trend by texting cash to friends and third parties, using apps such as Venmo (owned by PayPal), Square Cash or Cash App (owned by Square), Apple Pay, Samsung Pay, and others linked to social media apps like Snapchat. These payment systems obscure whether the transaction is a cross-border transaction, as well as significantly complicating issues such as who the ultimate beneficiary of the transaction may be.

Why is it so important to take an active stance on AML? What are the penalties associated with AML in the US?

Terrorism and transnational organised crime take a terrible toll on societies. The horrific terrorist acts we have seen over the past 20 years cost money and were financed by someone. Our AML/CTF and Sanctions laws, rules, and regulations are in place to stop and deter terrorists from using our financial institutions to finance terrorism, and to stop criminals from laundering the proceeds of other abhorrent practices such as human, sex, or drug trafficking, financing weapons of mass destruction, and nuclear proliferation. Financial institutions play a critical role in protecting the US and global financial systems from these bad actors. We all must be vigilant in this fight.

The importance of financial institutions’ role in fighting terrorism and keeping proceeds of illicit practices out of our monetary system explains the steep penalties for violations of these rules. Individual penalties can range from $500,000 to $1 million (such as the case of Thomas Haider of MoneyGram International) and up to 20 years in prison. Fines for financial institutions vary by regulator and violation. According to Bloomberg,[1] in the first quarter of 2018 alone, federal banking regulators and FinCEN concluded two major AML enforcement actions with almost $1 billion in forfeitures and penalties, the highest ever annual total for federal authorities.

Financial institutions are arguably the most at risk from fraud. What measures can they take to ensure fraudulent behaviour is minimised both internally and externally?

There are many steps financial institutions can take to minimise fraud risk, but at the core of these steps is training and the four-eye principle. Potential fraud — whether internal or external — is significantly reduced by proper training of all staff on the red flags of fraud. Risk is further reduced by ensuring that all processes include more than one set of eyes (i.e., two people — four eyes). Ideally, for transactions most at risk for potential fraud, financial institutions would have a supervisor or quality assurance/control person review the transaction in addition to the employee originating the transaction. A properly tuned transaction-monitoring alert system would then identify any anomalies or potentially suspicious activity post-transaction, further minimising risk.

What changes would you like to see implemented in AML legislation, both nationally and internationally?

As I stated above, I believe it is past time for US regulatory agencies such as the Department of Treasury and FinCEN to assert regulatory authority and oversight over Investment Advisors as financial institutions under the BSA and other AML laws, rules, and regulations. Internationally, it would be ideal to have a centralised repository of beneficial ownership information accessible to financial institutions and law enforcement. Efforts are beginning in some countries to centralise this information, but privacy laws and concerns about confidentiality are often a stumbling block to the sharing of this type of information.

About Navigant

Navigant is a specialised, global professional services firm with focus on industries and clients facing transformational change and significant regulatory or legal pressures. Navigant provides a range of advisory, consulting, outsourcing, and technology/analytics solutions, primarily serving clients in the financial services, healthcare, and energy sectors. Headquartered in Chicago, the company has approximately 5,900 employees across North America, Europe, the Middle East, and Asia-Pacific.

Website: https://www.navigant.com/

[1] Robert Kim, “Q1 Ends with Record $1B in Federal Anti-Money Laundering Penalties and Forfeitures,” Bloomberg Law, April 6, 2018.

The 05: Do Not Honor card declined response is the most common and general ‘decline’ message for transactions that are blocked by the bank that issued the card. This week Finance Monthly hears from Chris Laumans, Adyen Product Owner, on the complexities of this mysterious and vague transaction response.

05: Do Not Honor may be the largest frustration for any merchant that regularly analyses their transactions. Although it frequently accounts for the majority of refusals, it is also the vaguest reason, leaving merchants and their customers at a loss about how to act in response.

Although unfortunately there isn’t an easy, single answer about what this refusal reason means, there are several suggestions as to what could be the cause behind the non-descript message. So what might the 05: Do Not Honor mean? From our experiences analysing authorisation rates and working with issuers and schemes, here are some plausible explanations.

Insufficient funds in disguise

In probably half of the cases, 05: Do Not Honor is likely just an Insufficient Fund refusal in disguise. Reality is that some issuers (or their processors) do a poor job of returning the appropriate refusal reasons back to the merchants. This is both due to the use of legacy systems at the issuer side as well there being no mandates or monitoring by the schemes on this, letting issuers continue to use it as a blanket term.

By looking at the data from various banks, it is easy to see how “Do Not Honor” and Insufficient Funds can often be used interchangeably. Records that show a disproportionately high level of Do Not Honor and a low level of Insufficient Fund refusals would suggest one masquerading as the other. Given that Insufficient Funds is one of the most common refusal reasons, 2^nd maybe only to “Do Not Honor”, it makes sense that “Do Not Honor” by some banks may actually represent Insufficient Funds.

Refusal due to credential mismatches

Although the words “Do Not Honor” aren’t the most revealing, sometimes other data points in the payment response can be clues for the refusal. Obvious things to look at are the CVC response, card expiry date, and, to a lesser extent, the AVS response. For lack of a better reason, issuers will frequently default to using “05: Do Not Honor” as the catch-all bucket for other denials.

Suspicion of fraud

The most appropriate use of “05: Do Not Honor” would be for declining transactions due to suspicious activity on the card. In some cases, although the card is in good standing and has not been reported lost or stolen, an issuer might choose to err on the side of caution due to a combination of characteristics on a given transaction. For example, a high value transaction made at 3am from a foreign based merchant without any extra authentication, likely will trigger a few too many risk checks on the issuer side. These types of refusals will again unfortunately be designated into the “05: Do Not Honor” category, with merchants drawing the short straw. Even though issuers may be able to point to specific reasons why the transaction was refused, issuers have no way to communicate this back to the merchant.

Some astute merchants might point out that issuers should be able to use “59: Suspected fraud” in these cases. Some issuers however remap these 59 refusal reasons to 05 before sending the response to the acquirer to protect store owners in the POS environment and avoid uncomfortable situations with the shopper standing in front of them.

Collateral damage

Finally, the reality is that your likely not the only merchant that a given shopper interacts with. Regardless of how good your business is or how clean your traffic is, a shopper’s recent history with other merchants will influence the issuers decision on your transaction. For lack of a better reason, the catch-all 05: Do Not Honor refusal in some cases be seen as “Collateral damage”. If the shopper coincidentally just made a large purchase on a high-risk website or went on a shopping spree before reaching your store, there is the possibility that the issuer may decline the transaction at that moment in time. In these cases, there is unfortunately very little that can be done, except to ask for another card or to try again later.

Hopefully this helps shed some light on the possible reasons why ‘05: Do Not Honor’ is so dominant in the payment space and that there is no single reason for this response. Adyen’s advice to dealing with these refusals is to look at the data at individual issuer/BIN levels and from there, try to distil patterns particular to those bank’s shoppers.

Below Dave Orme, SVP, IDEX Biometrics, discusses the challenging landscape of payments and fraud, the fight against scammers and the obstacles the future will find in a cashless society.

Clearing up the mess left behind by fraudsters is a serious challenge and sees financial institutions having to absorb the monetary and logistical damage of card payment fraud daily. Meanwhile, consumers are left with a feeling of dread when they see transactions, that they know they haven’t made, on their payment card accounts. Finding themselves needing to take time away from work or home, to report stolen cards, cancel cards and wait for new ones. Not only is this frustrating for cardholders, it takes a huge amount of time investment by banks to resource this process. Payment card fraud is a serious problem that affects every one of us.

In fact, card fraud is a serious and increasingly urgent problem. Financial Fraud Action UK (FFA UK) reports that in 2016, fraud across payment cards, remote banking and cheques totalled an astonishing £1.38 billion, an increase of 2% on the previous year. The overwhelming majority (80%) of this fraud involved payment cards; there was a particularly large (30%) increase in the proportion of cards lost and stolen, and these alone accounted for losses of £96.3 million.

There is no single reason for these figures; impersonation and deception scams, as well as data breaches, have all played their part. But the UK is becoming an increasingly cashless state — debit card payments overtook cash payments for the first time recently — so we have no real option but to stop the fraudsters. The obvious question is, how?

Fighting back

Financial institutions currently bear much of the impact of card fraud, and in response are investing heavily in machine learning, predictive analytics and other cutting-edge technologies to beat the criminals. These are having some effect; in 2017, fraud losses on payment cards fell somewhat (which contrasts with 2016, as we have seen), but even so there was still £566 million lost to payment card fraud alone and seven pence in every £100 spent was fraudulent — a very worrying statistic in a society that is rapidly increasing its reliance on cards.

In other words, payment card fraud has been a huge problem for a sustained period of time and the steps currently being taken to stop it are not effective enough.

Human nature

In a society that relies more and more on technology, payment cards are the weak link; or rather, the behaviours of the people who own and use payment cards are the weak link. It is human nature to make the mundane administration of life easier — but we all know how dangerous writing down your PIN because you keep forgetting it (and worse, keeping the card and the PIN together) can be. Many people are also guilty of sharing their PIN and card with their friend/partner/relative to enable transactions without the need to be present. Others give out cards and PINs to trusted people because they are elderly or have mobility problems and getting the necessities of life is so much easier that way. All these behaviours are very common, but they are also making card crime very easy.

People fail to keep their PINs or other card details safe not because they are inherently foolish or lazy, but because PINs are simply unfit for purpose. To be effective they demand a far higher standard of discipline and security from human nature than human nature is ever likely to give. The result is a massive headache for individuals, financial institutions and businesses all over the world.

But if not PINs, then what?

Giving the finger to fraudsters

Biometrics, including fingerprint recognition, is a field increasingly recognised as holding the key to card fraud prevention as such fraud becomes a more and more urgent problem. And while financial services may be looking at large-scale use of biometrics now, in other security-conscious sectors this has already happened. For example, many smartphones (which are themselves fast becoming the twenty-first century replacement for the wallet) are protected via fingerprint authentication, usually via a sensor on the lock screen. Passports are also routinely issued with biometric authentication built in, as are government ID cards. Biometrics are used where security is non-negotiable.

Until recently, including biometric authentication in a payment card was very difficult. This is because it required a sensor to be incorporated in the card and for many years those sensors were too large and inflexible to make that viable. However, there have been breakthroughs in this technology recently and we are now able to deliver a very thin, flexible fingerprint sensor that is easy to add to a standard card, so the major barrier to using biometrics with payment cards has now been overcome.

Looking ahead

Biometrics companies are now working in partnership with banks and other financial institutions, smartphone manufacturers and payment processing firms, to make gold standard authentication affordable, practical and available for payment card users and issuers. This is very good news for those in financial and security businesses, because the roll-out of biometrics in those fields will relieve much of the pressure of fighting what is, frankly, now a losing battle. With the arrival of simple, secure and personal authentication for all, hopefully we will see the demise of that twenty-first century pickpocket that is the payment card fraudster.

Three quarters of finance decision makers within UK businesses have admitted that their company could be susceptible to fraud because of poor accounts payable systems, according to a new report.

And 70% of finance decision makers also admitted that a failure to implement robust purchase order processing within their company was also putting them at severe risk from fraud.

In fact according to the ‘Changing trends in the purchasing processes of UK businesses’ report commissioned by document managing, accounts payable and purchasing solution provider Invu, less than a quarter (24%) of decision makers are ‘completely confident’ that they could prevent or detect fraud with their current systems.

The risk from fraud is also not limited by company size, according to the research, with 25% of large businesses and 30% of small companies harbouring some concerns about fraud due to weak processes and checks.

“Although we’ve seen a slight reduction in the amount of financial decision makers concerned about fraud, it is clear that concerns remain high within Britain’s business community and that not enough is being done to protect companies from becoming victims of fraud,” said Ian Smith, GM and Finance Director at Invu.

“Fraud is a huge problem for any business, with the results being potentially fatal. Automated processes, which can monitor purchase and payment processes, go a long way to prevent and detect these issues, but they are clearly not being deployed enough within UK businesses.”

(Source: Invu)