On the same day that the prosecution rested its case against Paul Manafort, the U.S. Attorney’s office in Tucson, AZ got a seven-year sentence against a fraudster for a money-laundering scheme; a former Microsoft employee was sentenced to 18 months after pleading guilty to conspiracy to commit money laundering; a messy FBI sting involving money laundering came to light; and a report from the Financial Task Force (FATF) that looks at the techniques and tools used by professional money launders (PMLs) unveiled numerous new dangers.
Most cases involving bank fraud and money laundering don’t involve high-visibility political professionals or special counsels investigating election fraud. Yet all banks—including smaller institutions with fewer resources—are in the crosshairs anyway. They face almost the same level of trouble on two fronts: crime and compliance.
What’s a bigger problem for banks: crime or compliance?
How is that even a question?
Sure, there’s a constantly rising level of sophistication in financial services malfeasance: technological wizardry, multinational transactions, volume-based schemes, strategic targeting of vulnerabilities and a lot more. But the other side of the coin is equally problematic. In fact, the sheer difficulty of ensuring compliance with constantly evolving mandates—even as money launderers keep finding new ways to disguise illicit activities—is surely at the top of the priority list for financial services providers.
Numbers don’t tell the whole story, but they do tell a part. Estimates vary, but it’s clear that, collectively, banks have already paid out hundreds of billions in fines for failing to comply with industry mandates. This is despite the fact that the industry has made massive investments in this field—including in labor, specifically to manage processes that legacy technologies can’t address. SourceMedia reports that financial institutions in the U.S. now spend more than $70 billion annually on compliance initiatives, and global demand will reach $118 billion by 2020.
And it’ll get worse before it gets better.
McKinsey & Co identifies three core difficulties banks face in monitoring financial crime. First, it’s international volume: The number of cross-border transactions keeps growing. Next there are the rules: Regulators keep revising mandates to, for example, focus on areas such as terrorism along with existing financial crimes. Finally, there’s foreign policy: As the government expands its use of sanctions to target particular regions, an already-complex discipline gets even more convoluted.
It should be noted that there’s a potentially important development in this area. A new report from the Treasury Department, “A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation” highlights the challenges smaller financial service providers in particular face, and emphasizes the need for changes. “Many statutes and regulations addressing the financial sector date back decades. As a result, the financial regulatory framework is not always optimally suited to address new business models and products that continue to evolve in financial services,” the report states. Among other recommendations, the report “encourages banking regulators to better tailor and clarify guidance regarding bank partnerships with nonbank financial firms, particularly smaller, less-mature companies with innovative technologies that do not present a material risk to the bank.” These include revisions to “permissible activities” covering investments in non-bank platforms.
This might just be a policy shift, but we’re not there yet. In the meantime we have a more pressing problem: Every alert generated by a typical AML monitoring system need to be scrutinized to identify those that require an SAR (Suspicious Activity Report). However, a staggering nine out of ten alerts feature false alarms. So, reviewing huge numbers of alerts to find a few bad actors greatly increases both operational expense and risk.
Again, we can put numbers here: A study by compliance advisory firm Berlin Risk estimates that investigating a customer can cost as much as $24,000. That’s one reason why, in just the past five years, U.S. banks have increased the size of their compliance teams tenfold, even as they spend most of their time reviewing alerts that are ‘false positives.’
Remember, banks previously preferred rules-based processes to keep track of both crimes and compliance, and most AML software still uses a rules-based approach to identify suspicious transactions. However, regulators now emphasize a risk-based approach.
While regulatory policy may not define how a solution is to be implemented there is some clarity on what needs to be achieved. Some of the most commonly cited issues highlighted in an AML enforcement actions include:
- Effective oversight
- Focused customer due diligence
- Dynamic risk assessment
In the risk-based scenario, banks allocate resources to investigating accounts based specifically on their level of risk. It fundamentally shifts the focus to ‘smart bad actors’ who are adept at gaming the system and pose the greatest risk, rather than legitimate transactions that happen to have been flagged by traditional AML software. Bottom line: We get major reductions in costs and risk.
Going deeper, regulators have stressed that the first step of the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the bank. In other words, one size definitely doesn’t fit all. So what’s involved in developing processes that can be customized to suit each institution’s particular needs? And how do we deploy technologies that serve those business priorities, rather than the other way around?
Consider the dictum of Safety and Soundness. CAMELS ratings are based on accessing data from various information systems. This encompasses Systems of Record (e.g. core banking); Systems of Engagement (e.g. loan processing); and Systems of Automation (e.g. digital banking). Bringing together the evolving discipline of risk-based compliance, along with new capabilities enabled by emerging technologies such as predictive analytics and machine learning, can we add a new variable to this equation?
Think of it as Systems of Insight.
In this arrangement we get a new kind of risk management—we measure and monitor before we manage and mitigate. It allows banks to better understand regulatory priorities and bank examiner frameworks. It leads to the design of business processes for unique business risks. It helps implement technologies based on those business processes. It enables metrics-based management. And of course, all these capabilities tie back directly to the core issues of the risk-based approach favored by regulators.
To get to this level, we first need the oversight process. This is why it’s critical that business processes drive the technology, rather than the other way around. Next, it enables a focused and customer-centric due diligence: Institutions can zero in on the smart crooks that pose the greatest risk. Finally, we have dynamic risk assessment: To manage the risks of tomorrow, solutions must be future-proofed.
Technology is itself truly dynamic—the best solutions today didn’t exist just a few years ago. Machine learning and advanced analytics alone can greatly mitigate the glaring problem of compliance officer productivity and risk management. These technologies instantly analyze patterns of customer behavior and predict which customer activities require the most scrutiny. They can also highlight which flagged alerts (in other words, suspect transactions) conform to a pattern of legitimate activity. This is used to create a triage process for alert management. Overall, it drastically reduces ‘alert fatigue’ and enhances productivity.