MENA, USA, MEA, Europe, APAC
Maya Braine
Case Study: Digitisation Support
Case Study: Digitisation Support
Europe, USA, MENA, MEA, FFE, APAC
Guest User
FinTech Approaches to Sanction Regimes
FinTech Approaches to Sanction Regimes
APAC, Europe, USA, MEA
James Nurse
How to use Compliance as an enabler in Digital ...
How to use Compliance as an enabler in Digital Transformation
MEA
Guest User
Islamic FinTech and Financial Crime: A ...
Islamic FinTech and Financial Crime: A different risk profile?
Europe, USA, APAC, MEA
Guest User
How Social Media is used to Further Financial ...
How Social Media is used to Further Financial Crime - Part 1

Guest User

Inauguration Day: What does the Biden Administration mean for FinCrime?

January 20, 2021. Inauguration Day. The end of an era. Following four years under President Donald Trump, the United States will have a new president. 

What should we expect under the administration of President Joe Biden and Vice President Kamala Harris? Your answer to this question will likely depend on your top priorities. At FINTRAIL, we have been working to help our clients understand and prepare for any and all financial crime-related changes that are anticipated under the new administration. While some specifics are up in the air, it is clear that tackling illicit finance will be a top priority. 

Broadly, we can expect to see some changes from the top down. The new Deputy Treasury Secretary, Adewale Adeyemo, has promised a review of the Office of Terrorism and Financial Intelligence’s programs, including FinCEN, with plans to increase both staffing and budget. With new resources, there is likely to be new guidance and potentially new enforcement measures coming into force. 

Let’s explore in a bit more detail what we are and aren’t likely to see across the major financial crime areas over the next four years:


Money Laundering

At the start of the year, Congress passed the latest National Defense Authorization Act (NDAA), which the Biden Administration will be responsible for implementing. The NDAA outlined several major changes for BSA/AML professionals, particularly the development of a beneficial ownership register. Once implemented, this register will have a huge impact on CDD for legal entities.  Professionals should also keep an eye out for the Biden Administration’s top AML priorities, which must be published within 6 months of the NDAA going into effect, as well as the results of Treasury reviews of existing AML/CTF regulations (especially those around SAR filing) and specific studies on emerging technologies, trade-based money laundering and money laundering to China. While not immediate, these outputs may lead to further significant revisions to the existing AML/CTF landscape.

Compliance changes could also come about through other legislation. For example, with Democrats now in control of both houses of Congress, there is likely to be another push to pass the Safe Banking Act, which would give financial institutions a pass to bank the cannabis industry. This would mean needing to revamp your risk appetite and potentially your screening program, as many firms currently screen against lists of legal cannabis providers that cannot yet be banked under federal law.

Terrorist Financing

Two-thirds of US terrorist attacks in the first eight months of 2020 were from far right wing domestic terrorist groups or individuals, and especially in light of the recent Capitol attack, it is likely that far right wing extremism will remain the most pressing terrorism threat to the United States. This will be a top concern for the Biden Administration, and Biden has promised to pass a new law against domestic terrorism. Even before the recent events at the Capitol, Biden was meeting with advocacy groups, such as the Anti-Defamation League, illustrating a unique commitment and exploration of strategies to counter far-right-wing extremism. Practitioners have struggled with the lack of a specific federal crime for domestic terrorism, and there has not yet been a discussion of exactly what elements of counter-terrorism and counter-extremism the Biden Administration will prioritize. There is more explicit counter-terrorist financing legislation around the financing of foreign terrorist groups, for example, and any changes to laws against domestic terrorism could have knock-on effects for our understanding of terrorist financing. In the short term, some measures within the NDAA can be used to improve counter-terrorist financing efforts, particularly through improved public-private information sharing. 


Bribery and Corruption

Countering corruption at home and abroad is expected to be a central focus of Biden’s overall agenda. Some of the changes made within the NDAA, especially regarding whistleblower protection and requirements around ownership disclosure, directly play into this. However, for many financial institutions, it is unlikely that there will be major changes in day-to-day anti-bribery and corruption exercises, at least in the short term. FinCEN issued an updated statement on PEPs in August 2020, and while further clarification may come along during the Biden administration, there has been no explicit discussion around the position changing in the near future. 


Sanctions Evasion

The Biden Administration has already promised a “top-to-bottom” review of OFAC’s sanctions program. As part of the Obama Administration, Biden did not shy away from the importance of sanctions as a foreign policy tool, so we shouldn’t expect a major shift in their continued use. With that said, there will likely be a shift in the specific regimes applied. Shifts will take time though, especially in light of the recent move to re-add Cuba to the state sponsors of terrorism list and the time that may be needed to renegotiate the Iran nuclear deal. In some areas, we can expect sanctions to tighten. For example, Biden’s Chief of Staff, Ron Klain, has already spoken about the introduction of new sanctions in response to the recent Russian cyber attacks against the US government. There is also emphasis on taking a more multilateral approach to issuing sanctions, which could see the roll back of secondary sanctions or the pursuance of joint US/UK or US/European sanctions targeting human rights violators. Make sure your list provider will be able to quickly and accurately provide you with updated OFAC lists and that you understand any new conditions, particularly if more complex sectoral regimes are applied.

Tax Evasion

President Biden’s pick for National Security Advisor, Jake Sullivan, has previously written about ramping up efforts against tax havens as a core pillar of US trade strategy. Biden has similarly written about the importance of closing tax loopholes and reducing tax avoidance. In the near term, the implementation of the 2021 NDAA will also help with efforts to clamp down on tax evasion, particularly through the targeting of anonymous shell companies. Practitioners should continue to watch this space, as efforts to clamp down on tax avoidance may push some activity that has been licit into being illicit. 

Fraud

Fraud is also likely to be prioritized by the incoming administration, but immediate and wide-ranging changes are unlikely.. In terms of prosecution, experts have noted that there is a “serious backlog” of fraud cases, which will likely take time to process. More practically, BSA/AML professionals should pay attention to when Biden’s new $1.9 trillion COVID relief package is passed - most likely sooner than later given the Democrats’ control of the Senate. This promises further government support for individuals and small businesses, which, like the Paycheck Protection Program, is likely to lead to an increase in related fraud typologies. Make sure your monitoring system is tuned to detect these typologies, especially based on any patterns detected during the prior waves of stimulus, and that you have the human and technical resources to manage any surges in fraud.

Market Manipulation

Experts predict there to be an increase in investigations into market manipulation and securities-related crimes, including insider trading and accounting scams. However, it is important to remember that securities prosecutions can take an especially long time, so we are unlikely to see anything immediate in this space. There has not been a substantial discussion around reforms the Biden Administration is planning, but Gary Gensler, the Administration’s likely pick to head the Securities Exchange Commission, has a history of pushing through stricter oversight regulation and “issuing hefty fines,” as seen during the Libor scandal.

There are going to be changes to the way we think about and operate financial crime programs under the Biden Administration. While it may take some time to see the true impact of these changes, the shift in mindset and priorities will hopefully help the US continue modernising its overall approach to anti-financial crime.


Partners Against Crime: Building Strong Partnerships on the AML Frontlines

It is safe to say that the US FinTech market has hit its stride. Global FinTech funding soared past $34 billion last year, and the US makes up around half of the global FinTech market. More and more consumers are turning to FinTech products to transform the way they manage their finances, paychecks, loans and insurance. With COVID-19 keeping us all socially distanced for the time being, the move toward digital finance is only going to pick up more steam. 


But the FinTech sector isn’t built on standalone infrastructure. As Banks attempt to stay on the forefront of innovation and as FinTechs seek the regulatory and compliance infrastructure they require, FinTech/Bank partnerships have become the new normal. This has been particularly important for the growing internationalization of FinTechs - as successful European FinTechs seek to cross the pond, having a legacy partner helps them gain a foothold.


These partnerships can take a variety of different forms - though for the sake of this piece, we’re going to focus on community banks that handle the banking back end of FinTech products, such as holding FinTech customer deposits and ensuring they are FDIC-insured or offering for benefit of (FBO) accounts to FinTech MSBs. As part of these relationships, FinTechs end up not directly regulated, and it’s up to the partner to ensure the FinTech remains compliant with BSA regulations. This means that banks have to be careful to select the right possible FinTech partners, and the same goes for FinTechs! Wirecard’s recent collapse, which has sent FinTechs all over the world scrambling for new partners, particularly highlights the level of overall due diligence and care that is needed when forming and sustaining a banking partner relationship.


What Happens When It Doesn’t Work Out?

We’ve seen first hand how FinTechs and their partners are pushing forward to innovate not just on customer-driven financial services, but also on financial crime prevention. However, the risks of getting partnerships wrong still need to be taken seriously and inform a firm’s approach to stakeholder management. 


So what does it look like when things go wrong? 

For some FinTechs, it means not getting very far. US partner banks tend to have steep compliance requirements and expectations - that means being able to demonstrate your BSA/AML compliance capability up front through risk assessments, policies and procedures, training, and effective control integration. Partner banks like Cross River weed out the majority of prospective FinTech partners due to the amount of compliance required. For FinTechs, failing to get a partner bank relationship set up can mean the difference between a successful funding round and going back to the drawing board. For European FinTechs and other international players with their eyes set on the US market, failing to obtain a banking partner due to compliance reasons could potentially shut off millions of new customers and dramatically set back scaling plans. 


A few bad actors could also risk the current environment of strong partnerships. Across-the-board de-risking of correspondent banking illustrates what can happen when the difficulties managing AML/CTF controls within a partner relationship cannot be prudently resolved.


The picture isn’t great for partner institutions either. Building out relationships with the FinTech sector is becoming a profitable lifeline for institutions looking for ways to innovate and reach new client segments outside of their traditional stomping grounds; turning off the taps can obviously have an impact. And on the compliance side, as FinCEN expects financial institutions to ensure the compliance of their FinTech partners, failure to do so could risk steep fines and penalties. 


In fact, one of the most frustrating obstacles to successful partner bank/FinTech relationships can be the current regulatory landscape, according to Robin Garrison, VP of Compliance at MainStreet Bank, who presented on making the most of partner bank relationships at the FinTech FinCrime Exchange (FFE). Certain regulators can hold traditional and sometimes out-of-date perspectives on risk and financial crime - and the absence of a unified approach between different US regulators (the Office of the Comptroller of Currency (OCC), for instance, has been much more proactive in supporting FinTech innovation than some of their counterparts), can only add complication. To really get the regulator onboard, Robin added, it’s important for FinTechs and their partner banks to work together to ensure appropriate testing has been done to evidence to the regulator that any financial crime risks are being appropriately mitigated.


Even if a FinTech and partnering bank do succeed in getting a relationship off the ground, poor relationship management can hinder positive efforts to prevent financial crime. High volumes of manual work, a lack of knowledge on how the other party is operating, and long delays in communication can mean that even if a partnership looks successful on the outside, it may still be struggling with balancing financial crime compliance and customer experience. 

How Do You Make It Work?

Looking at the risks involved with setting up a successful partnership, it’s no wonder that it can be difficult for a startup to break into the FinTech space or for a legacy institution to take the leap into a new relationship in a digital world. But there are plenty of examples of where partnerships have taken off. What are they getting right? 


1. They set a strong foundation. 

This is something that features in all of the industry reading on how to make the most of a partner bank relationship. And that really is relevant here too! If you don’t have a strong, open, and transparent partnership in other parts of the business - such as making sure your financials are sorted and growth strategies are aligned - then it’s going to be difficult to build a relationship that allows you to successfully fight financial crime. In fact the best approach to building a positive relationship is to ensure that BSA/AML compliance isn’t segregated. From day one, compliance should be considered as an integral building block in wider relationship management efforts. This will ensure it doesn’t come back to bite once the relationship progresses on the commercial side.


Strong, positive foundations also go beyond shared values. Robin left FFE members with an important message about selecting the best banking partner. “Don’t go with the first partner bank willing to accept you. It can be very difficult to ensure that your data can be fed into and processed by your partner bank, so think about how well your technical systems will integrate when picking your banking partner.” Without aligned systems, anti-financial crime processes become a greater operational burden, and it becomes far more difficult for the partner bank to have the information they need in order to conduct robust assurance on the activity of their FinTech partners.


2. They establish clear roles and responsibilities.

Establishing clear roles and responsibilities is important for any business relationship, but it’s especially important from a financial crime perspective. When laying out the contractual arrangement, FinTechs and partner banks should try to agree up front and in writing who will be responsible for which part of the BSA/AML control framework and who the key points of contact are. 


For example, does the partner bank need to review all KYC files on a FinTech’s new customers before they onboard, or will the partner bank perform assurance on the KYC process through periodic (e.g. quarterly) spot checks? If the FinTech is managing KYC, who should they talk to about trialling a new ID verification provider? Who will be responsible for OFAC screening at onboarding, throughout the business relationship, and for customer screening? To what extent should the FinTech establish their own transaction monitoring tool? Or will they be able to rely on the TM system offered by the partner bank?


There may be circumstances where the partner bank and FinTech relationship is so intertwined that setting rigidly defined roles and responsibilities just isn’t feasible. Anthony Jerkovic, Head of Data & Risk at Bank Novo, explained that, in Bank Novo’s partner banking relationship, roles and responsibilities often require a certain level of flexibility in order to effectively address the dynamic problems faced day-to-day. “If everyone touches a case, it is hard to precisely draw the lines of responsibility. Instead, we focus on close communication and working together and try to see them as an extension of our own team.”


If partnering firms aren’t able to develop a close working relationship or meaningfully outline roles and responsibilities, problems will inevitably arise. At best, it may take longer for both parties to process financial crime-related tasks, such as the investigation of unusual or suspicious activity, but at worst, serious financial crime cases could go undetected, as no one was formally designated as being responsible for identifying red flags.



3. They have a clear escalation process.

As part of laying out a clear delineation of roles and responsibilities, partner banks and FinTechs should also work together to establish clear escalation paths. The goal is to determine when the hand off happens and how. A lot of this will come down to the partner bank’s risk appetite, as they are the ones ultimately liable for any financial crime activity that occurs. But depending on the relationship, there may be certain activities that the FinTech can respond to without immediately escalating to their partner bank.


For example, one partner bank may be comfortable with a FinTech making a decision on whether to accept a customer with an adverse media finding against them, while another partner bank may require all adverse media hits to be escalated to their compliance team for review. 


Let’s look at another example, which illustrates how escalation and communication paths work both ways. For instance, if a FinTech is doing their own customer screening, they may be expected to escalate all confirmed PEPs to the partner bank for approval prior to the start of any business relationship but only do so after clearing the alert and requesting necessary due diligence documents on source of wealth and source of funds. By contrast, if the partner bank does the customer screening, they may have to reach out to the FinTech to communicate with the customer to obtain EDD documentation.


Without getting the escalation process right, FinTechs and partner banks will run into the same problems as with roles and responsibilities - difficulty maintaining BSA/AML compliance and operating effectively. 

4. They regularly communicate on all things fincrime. 

The whole goal of outlining roles and responsibilities as well as escalation paths is to ensure that communication on financial crime issues remains robust throughout the partnership. This is especially important when both parties are closely involved in day to day financial crime operations. Without close communication, unusual customer activity can’t be investigated quickly, leaving funds suspended in a way that can damage a customer’s experience if they’re innocent. Given how quickly funds can move in and out of a FinTech account, without close cooperation, a partnership may fail to stop significant volumes being laundered through an account. 


Samuel Peters, BSA Manager at Middlesex Federal, Bank Novo’s partner bank, highlighted that “especially when dealing with those in traditional banking, communication is key.” Depending on the nature of the relationship, frequent and regular touchpoints may be needed, even multiple times per week. Though, Samuel also flagged that it was important to ensure that both FinTechs and their partner banks understood that there would always be some level of risk involved in the arrangement. “Traditional banks and FinTechs are going to have different risk appetites; regular and open communication is the best way to help close the gap.”


Of course, there are also regulatory expectations with regards to reporting. Partner banks are currently expected to file a suspicious activity report (“SAR”) within 30 days of the initial detection of the suspicious activity, provided there’s a suspect. This means that the FinTech has to move quickly to escalate any unusual activity and work closely to support any investigation from the partner bank in order to meet the deadline. 


Even in cases where FinTechs are given a good degree of autonomy, they should still work closely with their partner bank to ensure that both remain on the same page in terms of risk appetite. This means keeping the partner bank up to date on any new product developments, target customer segments, and geographic expansion plans, as all of these would impact the FinTech’s financial crime risk profile. 


What Next?

FinTech relationships with partner banks aren’t going away and do come with their share of risks. But through successful stakeholder management efforts taken with a fincrime focus, both parties can work together to stop criminals exploiting the US financial ecosystem.

We have experience working on both sides of the table to help FinTechs and their partner banks manage financial crime risks. If you’d like to discuss this more, please contact our US team or email us at: contact@fintrail.co.uk

The Impact of Coronavirus on Financial Crime is Bigger Than You Think

From war to pandemic, there is always a class of profiteers seeking to take advantage of a country or world in crisis. Unsurprisingly, the behaviour has emerged once more in response to the escalating international outbreak of COVID-19. US cyber security firms and news agencies have repeatedly warned about the rise in coronavirus phishing scams, where emails purporting to be from trusted authorities like the Center for Disease Control and Prevention (CDC) and World Health Organization (WHO) are being sent to unsuspected victims, tempting them into downloading malware onto their devices. Scam cures, such as colloidal silver and essential oils, are also on the rise. The Federal Trade Commission (FTC) and Food and Drug Administration (FDA) have even issued warning letters to several companies, who may be found to have violated federal law for selling unapproved products using false claims. 

Unfortunately for financial crime compliance professionals, coronavirus risks go far beyond old scams targeting new fears. The landscape and scale of financial crime compliance risks are fundamentally changing, and without sound risk management, we might find ourselves among other overwhelmed, underprepared industries in the face of a pandemic. 

It’s Not Just Fraud

While fraud has understandably received the most immediate financial crime-focused coverage, this is not the only financial crime area that we should analyse for potential spikes. 

For example, we could see spikes in certain types of money laundering activity. Look at money mules - who are often recruited online through fake social media employment or romance scams. As individuals lose their jobs or have to find work from home, the prospect of being able to earn funds quickly through moving money from one account to another may become even more attractive. Some sites are even directly recruiting money mules in the name of supporting coronavirus victims. 

It’s not all bad, however! Cash-based activity is on the decline in countries hard hit by coronavirus, and potentially cash-based money laundering along with it. Major international terrorist groups, such as the Islamic State, are advising their fighters not to travel to Western countries undergoing severe outbreaks of coronavirus, which could impact terrorist financing flows. 

The best thing for financial crime professionals to do is to spend time thinking about how the pandemic may impact the specific financial crime risks they face as a business. They can then adapt their controls accordingly, to best mitigate the evolving threat landscape. 

Investigation and Enforcement

Investigations are beginning to stall in the face of coronavirus as well, hindering the ability to meaningfully prosecute complex, cross-border cases involving bribery and corruption, organised crime and sanctions evasion. As the pandemic spreads across the globe, with travel bans, home working and quarantines being used as containment measures, compliance officers and lawyers investigating bribery and corruption have been forced to delay meetings and interviews, which could allow cases to drag on and bad behaviour to continue to proliferate. 

In addition to stalling investigations potentially allowing for compliance risks to slip through the cracks, law enforcement is also facing pressure to keep up with demand. Police in the US are now shifting gears to enforce coronavirus rules and in some areas, have been urged to avoid “unnecessary arrests” as this could only lead to the virus spreading. Law enforcement priorities are fundamentally shifting, and financial crime is unlikely to get the focus or resources it needs. 

Compliance Ops

Particularly in FinTech hubs like New York City and San Francisco, the latter of which is under a shelter-in-place order, employees are having to work from home in order to keep the business running smoothly, and this includes BSA/AML compliance operations staff and analysts. While FinTech workplaces generally encourage more working from home and may have better controls in place to ensure data security, the hasty transition can still generate problems if not managed effectively. 

While internal fraud is often viewed as less of a concern in small and medium sized FinTechs, given the close and collaborative nature of their teams, this risk should still be fully mitigated. More than half of all frauds committed against business are done so either internally or by an internal actor colluding with an external one. And this is something we have increasingly begun to see in the FinTech sector. We have personally experienced cases where FinTechs have had to engage in trying internal fraud investigations, or where staff have been contacted by organised crime groups asking them to engage in fraud. 

Generally speaking though, the vast majority of internal staff are team members trying their best for the company. Front line team members need to be supported now more than ever in the work that they complete. Staff may fall ill, leaving others having to balance heavier workloads. Staff may not find it as easy reaching out for help evaluating a new alert. And responding to crises can also detract from other important financial crime tasks, like filing SARs (if this is the case, make sure to contact FinCEN). In-person training and support that staff need in order to thrive, excel and finish work on time may not be readily available. By taking steps to ensure regular team communication, health, wellbeing, and safety, as well as access to educational resources, firms can build out more resilient teams. 

Recession?

Finally, we get to the elephant in the room: it’s difficult to find an economist that doesn’t think the coronavirus pandemic will bring the global economy into recession, especially as we seemed to be nearing one prior to the outbreak. With transportation and hospitality industries suffering major blows, and with outbreak hotspots like Italy already facing a delicate economic balance, we should start looking at what impacts a recession could have on financial crime levels now. 

Data from the last global recession indicates that financial crime and crime generally can go up during a recession. The first 6 months of 2009 for example had the highest fraud rate observed to that point in KPMG’s Fraud Barometer, and 36% of senior executives reported to Kroll that they believed fraud risks had increased due to the recession. 

One report from the World Economic Forum indicated that, for young people struggling to find employment during a recession, the arrest rate increases by 10.2%. The difficulties in pursuing legitimate employment make criminal enterprise more attractive; what’s worse - once involved in criminal activity, it can be very difficult for these individuals to leave, making the level of recession-rooted crime increase further. 

When thinking about financial crime contingency planning in the face of coronavirus, we need to think even bigger than just the short term impacts and start evaluating what our response will be in the face of possible recession. This also includes considering what typologies may evolve or proliferate, such as benefit fraud as more people apply for unemployment.

What You Can Do 

There is a lot of uncertainty out there in the face of coronavirus, and we will benefit as an industry by working collaboratively to tackle financial crime challenges as they occur. The below are just a few tips and tricks for how to tackle coronavirus as a financial crime threat:

  • Reconsider your BSA/AML risk assessment. Which inherent risks are more or less impactful in the face of coronavirus? Which controls might be weakened?

  • Evaluate whether your second line controls can provide the same level assurance in the current situation. For where external expertise is needed, work with digitally-focused consultancies who can easily support you remotely. 

  • Check up on your internal fraud procedures, to ensure strong whistleblowing protocols are in place, as well as appropriate access rights and 4 eyes checks.

  • Increase staff engagement through financial crime catch ups, remote training and clear lines of communication. 

  • Don’t stop contingency planning, and add a potential recession to the list of events you’re planning for. 

We are working hard with the FinTech FinCrime Exchange community to learn more about what specific steps the international FinTech sector is taking in response to coronavirus as part of their contingency planning. Stay tuned for future insights.

If you have questions about how your business should proactively take on financial crime in the context of coronavirus, reach out to Megan Millard or Meredith Beeston.

, , ,

The Dangers around Data Quality: How Poor Data Quality Can Harm Your Ability to Fight Financial Crime

, , ,

FinTechs and RegTechs are at the forefront of using data innovatively and efficiently to help facilitate everyday financial services. When managed correctly, this data can also help strengthen AML/CTF defences and help you pick out unusual or suspicious behaviour and customers. However, that doesn’t mean that FinTechs and RegTechs are immune to missteps when gathering, transporting and utilising data. When data quality goes wrong, the dangers can have a hugely damaging impact on the strength of anti-financial crime controls. Here are a few areas to take into consideration when evaluating how your data quality impacts your AML/CTF operation. 

What are the risks?

FinTechs tend to collect non-standard data on their customers. This not only covers the use of electronic ID verification, selfie matching and address verification technology, but also the collection of non-standard data points, such as IP address, geolocation and device ID. While this provides FinTechs with a number of benefits, including a more dynamic risk profile along with a more seamless user experience for customers, there can be major risks to meaningful financial crime prevention if the data collected isn’t robust. 

A FinTech could run into trouble if:

  • Non-standard data becomes limited data

    • This is when collecting less information from your customer and more information about your customer crosses the line into not enough information on your customer at all. Not only is there a regulatory implication of this, but it could also hinder your ability to implement a number of key financial crime controls - from transaction monitoring based on customer behaviour to customer screening against PEPs, sanctions and adverse media databases. 

  • The onboarding experience is over-prioritised 

    • One of the key benefits FinTechs offer is a more streamlined customer experience, so that customers can start using a product within a few minutes of signing up on the app or website. However, if too much priority is placed on having a seamless onboarding journey, it could lead to not enough information being collected on a customer to form a useful profile on their risk level and expected behaviour. FinTechs can consider limiting access to their product based on information collected or adding a few extra steps for customers deemed high risk in order to help combat this concern.

  • Data isn’t refreshed 

    • Obligations to know your customer don’t stop with onboarding; it’s imperative to keep customer data accurate and up-to-date. Without refreshing customer data, it may be more difficult to truly understand whether a customer’s behaviour is unusual or suspicious, and it may likewise become difficult to fully understand the risk they pose. 

  • Data is entered manually 

    • While most data a FinTech collects will be gathered automatically, some data requested from customers through in-app chats or help desks may require manual entry. Entering data manually, without robust four-eyes checks or routine assurance, can leave a FinTech open to problems from inaccurate data that can make it difficult to truly know who your customer is and their risk profile.

FinTechs can also run into trouble with gathering, analysing and responding to management information (MI). Especially when starting up and building out a compliance framework, MI collection, storage and analysis may not be their top priority. In the worst cases, important macro-level data on SAR volumes, customer breakdowns and risk types and TM alerts could go undervalued. Without regular MI collection, easy access to data and trend analysis, quality assurance on AML/CTF controls becomes more difficult. This has knock-on effects, making it harder to update your risk assessment and risk appetite and accurately reflect your product to the board and regulators. Poor MI can even prevent you from being able to advocate for the resources you need on a financial crime team.

What about RegTechs?

Given the digital and innovative nature of their products, FinTechs tend to rely heavily on RegTechs, especially at the point of onboarding. This means that it is incredibly important for FinTechs to understand how and what data RegTechs access, use and provide and consider how this can best support their AML/CTF operations. When considering the use of RegTechs there are some key risks that FinTechs should be aware of: 

  • ID&V Providers

    • RegTechs have spearheaded major innovations in digitising the ID verification process, making it easier to reliably onboard customers in minutes and spot fraud indicators that the human eye struggles to detect. The main data quality risk we’ve seen with ID&V providers is potential inaccurate transposition. In this case, data that is automatically pulled from ID and proof of address documents into customer forms and profiles doesn’t match the actual data on the ID. When data pulled from an ID is incorrect, it can lead to poor records being kept on a customer that make future customer screening and  investigation of suspicious activity more cumbersome, weakening the wider AML/CTF controls infrastructure at the FinTech.

  • Customer Screening Tools

    • The use of RegTechs for customer screening generally gives FinTech customers access to vast amounts of information that can be customised to the FinTech’s specific product offering and customer base. However, with the amount of quality data provided, there can still sometimes be gaps that need filling. Particularly with PEPs and their relatives and close associates (RCAs), we have seen databases missing key information, including dates of birth, photos, activity, nationality, citizenship and address. We have also seen the inclusion of deceased PEPs and RCAs and some PEPs and RCAs who haven’t been active for decades. When this information is screened against, it can be more difficult for an analyst to clear alerts and can generate large volumes of false positives that require clearance. 

Once again, MI is worth considering. When RegTech providers offer poor analytics on the services they are providing, that can be easily categorised and sorted, then their FinTech customers will have to rely on manual processes in order to gather and assess crucial information that informs risk and control frameworks. MI needs to be able to provide detail where required and show changes over time. Access is also critical; in our experience, certain RegTech providers’ systems are difficult to access, with support teams that take time to respond to requests for additional information. The best approach we see is when RegTechs and FinTechs work together dynamically in order to ensure information can be swiftly accessed.

Top Takeaways 

While many of the FinTechs and RegTechs we engage with are taking the needed steps to ensure the comprehensiveness and effective usage of their data, there are still some pitfalls that indicate the negative impact when things go wrong. There needs to be more awareness of how poor data quality can emerge and how it can affect our anti-financial crime operations. Ongoing quality assurance, testing and audit are essential to ensuring that we remain out in front of any potential data quality errors. 

So what should we do?

FinTechs:

  • Take a risk-based approach to KYC and the gathering of customer data, gathering more data on higher risk customers to ensure you’re able to understand their behaviour and your ongoing risk exposure. 

  • Perform regular KYC refreshes and take a risk-based approach to these as well, to ensure you have the highest quality, most accurate data on your customers.

  • Implement robust assurance on manual processes, perform rigorous testing on RegTech providers, and ensure financial crime compliance has input into data storage practices.

  • Collect MI on all key aspects of your anti-financial crime programme, including on customer risk, customer due diligence and screening, transactions, suspicious activities and exits for financial crime. This information should be regularly shared and easily accessible for the second and third lines of defence.

RegTechs:

  • Consider a data quality review by a third party to get ahead of any potential complaints that clients may identify when it comes to the data you provide and transpose. 

  • Internally review the transposition of data pulled from documents and other sources to ensure it is being accurately reflected. Consider implementing a human review element depending on the data quality risks.

  • Devote research analysts to building out PEP profiles to encourage more efficient alert clearance, and build in filtering options so that firms can filter out deceased or inactive PEPs, RCAs and sanctions targets. 

  • Build robust analytics and reporting functions with access that can easily be determined by clients to meet their specific needs. 

  • Ensure requests from clients for additional information are responded to promptly and properly, and that this practice is expressed within agreed SLAs. 


If you or anyone on your team would like to discuss or explore how data quality concerns may affect your company and what steps you need to take to improve your approach, please feel free to get in touch contact@fintrail.co.uk.

Tackling Vulnerability: How to Increase Financial Inclusion While Also Championing Anti-Financial Crime

The Financial Inclusion/Financial Crime Nexus

Through our work in anti-financial crime (AFC), we’ve witnessed firsthand how FinTechs have been able to utilise new technologies in order to support traditionally underbanked customers - from international students to migrant workers. In this arena, FinTech leadership is absolutely necessary - nearly 2 million people in the UK are still considered financially excluded. And sadly, this isn’t the full picture; the under-banked, who don’t have access to the full range of financial resources and support, are also cause for greater efforts toward inclusivity. In the US, for example, where the unbanked population is around 6%, nearly another 20% is considered “underbanked,” indicating the scale of this problem. 

Reporting from the FCA directly connects the financial exclusion of the unbanked and underbanked to the wider issue of vulnerable customers. Nearly half of people in the UK display one or more characteristics of vulnerability, such as mental or physical health difficulties or financial debt or distress. Vulnerability clearly can harm an individual’s capacity to navigate financial services. Without financial knowledge and support, a backbreaking cycle may develop, where financial anxieties worsen existing vulnerabilities, increasing the likelihood that someone is pushed further and further from the traditional financial ecosystem.

In July, the FCA published guidance for consultation on the treatment of vulnerable customers. This guidance aims to help firms better understand vulnerable customers, ensure their staff have the skills to engage and support vulnerable customers and build their products, services and processes to be more inclusive. We at FINTRAIL are impressed with the steps the FCA is taking to tackle this issue head-on, by providing clearer expectations, recommendations and examples of best practice. 

With that said however, the guidance offers limited discussion around the intersection between vulnerability, financial inclusion and AFC efforts. This comes in spite of strengthening AFC efforts that, while designed to prevent criminals from exploiting and profiting off of victims, may unfortunately disadvantage some vulnerable individuals as well. For instance, customers who have had their identities stolen whose names have been added to fraud databases may struggle to get access to financial products - especially if they don’t know their identities have been stolen. Customers could also fall victims to common financial crime scams, such as romance fraud or authorised push payment fraud, or could be manipulated into becoming money mules - unaware that their actions are actually money laundering. Another example to consider comes from the 5th anti-money laundering directive (5MLD), which will reduce the threshold for applying simplified due diligence on prepaid card customers from €250 to €150 - making it more difficult for many financially excluded individuals to access one of the key financial products they rely on.  As we near the close of the FCA’s consultation period on October 4, here are a few of our impressions of how we can improve financial inclusion while also championing best practice in our AFC controls. 

KYC

For FinTechs onboarding a customer, we often see the use of electronic address verification and selfie + ID matching used to facilitate a smoother onboarding process. While selfie + ID matching can sometimes help firms identify vulnerable customers through visual indicators (e.g. evidence of coercion or injury), both tools can still struggle to identify or verify types of vulnerable people. For instance, someone fleeing domestic violence may not have access to their standard documentation or have proof of address. A recent immigrant to the UK may struggle due to poor language skills to understand the requirements for onboarding and again may not pass an electronic address check, by not being on the electoral roll. Young customers from financially disadvantaged backgrounds may not have a passport or a driving licence. A customer with mental or physical health disabilities may have someone assisting them in onboarding, such as helping them take a selfie, which could look suspicious. 

Aside from requesting additional pictures of ID or proof of address documents, small-to-medium sized FinTechs may not have a specific, codified response for how to deal with a customer who fails their initial attempt at onboarding, which can lead to genuine customers who lack ID for legitimate reasons being de-risked. JMLSG provides some useful information on how best to formulate your approach, to ensure you maintain a risk-based approach while also practicing financial inclusion. For instance, other documentary evidence could be beneficial - such as a social services letter, confirmation of studies letter or evidence of an asylum application. Many FinTechs already use data about their customer as well as data from their customer - and a mix of data on the customer’s online presence, email address and phone number can support decisions not only on a customer’s genuineness but also their vulnerability. Whether due to the additional steps needed to verify identity or due to overlapping factors between vulnerability and financial crime risk (e.g. high levels of debt), it may be useful to apply enhanced transaction monitoring controls to customers, even if you do onboard them. We’ve already seen FinTechs taking steps to this, such as with customers engaging in gambling, so it would be great to see these efforts pursued even further within the sector. 

Transaction Monitoring

FinTechs and other financial institutions typically engage in transaction monitoring tools that are designed to spot unusual customer behaviour. However, what could be unusual for a standard customer may be normal behaviour for a more vulnerable customer with non-standard needs. For example, vulnerable customers may be prone to sudden, impulsive purchases, unusual or large-value payments to legal firms or health suppliers, confusing financial patterns designed to repay debts or atypical rent agreements. Thus, it is important to consider vulnerable customers not only when evaluating alerts but also when designing rules. While no two customers are the same, transaction monitoring tools, especially those relying on machine learning, should be calibrated with an eye to avoiding false positives related to vulnerable customers. This may be difficult to fully achieve given the relatively small customer base of many FinTechs, but at least considering vulnerability indicators when working on rules and calibration is a good place to start. FinTechs may also want to consider allowing their customers to set their own behavioural flags, such as for gambling, binge drinking or shopping sprees. FinTech products like Toucan have been spearheading developments in this area. Within their platform, customers can link their bank accounts and set up personalised vulnerability rules and thresholds that can also trigger a general message to a “trusted ally,” who may be able to contact the vulnerable customer and check in on their overall health. 

One requirement under the FCA’s new guidance is for firms to take a ‘proactive approach to understand the nature and extent of vulnerability’ within existing customer bases. FinTechs could engage in best practice to abide by this expectation by designing rules tailored to specific patterns of behaviour indicating vulnerability, generating a ‘soft stop,’ or a flag that is retroactively reviewed. These flags could be assigned to a person or team responsible for identifying and understanding vulnerability, and the results of the exercise could then be used to help tailor and refine rules that better separate the vulnerable from the suspicious. Vulnerable customers who may have had their accounts taken over or who may be victims of authorised push payment fraud should still face ‘hard stop rules,’ however, to prevent money from being laundered.

Investigations

The FCA guidance provides strong recommendations on ensuring staff are trained in how to deal with potentially vulnerable customers. This is especially a concern when investigating or speaking to a customer who is suspected of financial crime. For a lot of FinTechs, there are two types of outreach to customers that can be used for financial crime-related investigations - automated messaging from robo-advisors and manual messaging from a live human. In the case of automated messaging, the FCA gives examples of how robo-advisors have been set up to help detect potential flags for vulnerability (e.g. detecting speed to type or respond); this can potentially be expanded into the financial crime investigation space to ensure customers demonstrating signs of vulnerability receive more tailored messages and where necessary, are escalated to a human.

For messaging done by a person, it is imperative that front-line customer relations and compliance staff receive training on how to handle vulnerable customers, as the FCA suggests. However, this training must be especially precise in the financial crime space, to prevent tipping off. Another concern that we have noticed is customers who are genuine fraudsters pretending to be vulnerable in order to play on the sympathies of front-line staff and financially benefit, such as through having their account unblocked. If you’re front-line staff, it is best to ensure you have a positive but firm stance when interacting with customers and be wary of how known or suspected criminals may try to influence you. 

Takeaways 

As much as we wish that it was easy to draw clear lines between vulnerable customers and  suspicious customers, the waters are undeniably murky. Only through robust efforts can we truly understand the nature of our customers and build meaningful solutions to support those who are vulnerable while preventing the exact sort of suspicious customer that causes vulnerability. Here are a few steps you can consider taking today to help manage financial inclusion going forward:

  1. Consider defining more specific approaches regarding vulnerable or potentially vulnerable customers, particularly in relation to customer due diligence, customer interaction and transaction monitoring. This should be even more robust for FinTechs specifically targeting the financially excluded. A good approach should start with the identification and confirmation of the customer’s vulnerability - ask yourself,  is there a good reason they wouldn’t have the documents required for onboarding or would be transacting this way? 

  2. Once vulnerability has been identified, there should be clear escalation channels,  training for front-line staff on engaging with vulnerable customers for KYC, as well as defined expectations around supplementary documents and enhanced monitoring where required.

  3. Consider designing transaction monitoring rules with ‘soft stops’ to help identify patterns of behaviour for vulnerable customers, as part of your proactive approach to understanding vulnerability indicators on your platform and as part of your efforts to distinguish vulnerable from suspicious.

  4. Tailor automated outreach messaging tools to detect signs of vulnerability and to escalate potential cases of vulnerability to trained human staff. Ensure all robo-advisor communication is friendly, respectful and easy to understand.

  5. Ensure front-line staff training not only encompasses how to deal with vulnerable customers, but how to avoid tipping off and how to handle customers that may fake vulnerability to financially gain. 

The FCA consultation ends soon. Click here if you want to provide your opinion directly. Or if you want to discuss these issues more and work to make your AFC controls support financial inclusion, contact the team at: contact@fintrail.co.uk


, ,

Risk appetite: how hungry are you?

, ,

Anyone who has spent any time with the team at FINTRAIL will attest to the fact that we are passionate about anti-financial crime and how you balance effective controls with a great customer experience. To achieve this, we believe that setting a well considered financial crime risk appetite is critical. It is an often neglected area but something we think is vital for companies looking to scale their offering. In this piece we are going to explore what we mean by a financial crime risk appetite and how to use it.


What is it and why is it important?

A risk appetite sets out how much risk a firm is willing to take in a given area.  Ideally a risk appetite should align with the firm’s risk-based approach, and this is particularly pertinent  regarding financial crime. A risk appetite statement will allow firms to define boundaries at the early stages of a new business or product as it allows you to target your resources in line with your risk-based approach; it will also allow you to identify whether you are in or outside of the firm’s appetite, which is a key foundation to implementing a risk-based approach. If you would like more information on having a risk-based approach and how that is implemented into financial crime frameworks, have a look at our Risk Assessment blog post here.


A well defined risk appetite enables you to scale your financial crime operations effectively and removes some of the challenge that can be associated with subjective decision making. For example, what customer behaviours or industries are outside your business appetite? If this is clear, as you scale rapidly, you can operationalise controls to identify the activity and take prompt action to resolve it when it is outside of your risk appetite. Rather than spending time debating whether each individual customer or transaction it is or isn’t within your appetite, the decision has already been made at a firm/business level and therefore all operations have to do is execute the required action.


Risk Appetite Statement:


Firms take different approaches when writing their risk appetite statement. At FINTRAIL, we have found that a combination of a header statement of intent, aligned to quantified risk indicators from management information (MI) tends to prove most effective. We give a few examples of this below.


A risk appetite statement may look like:

“Bank ABC has a zero tolerance to financial crime and sanction breaches.”  


Although we would all like to see zero occurrences of financial crime, this statement is not realistic and will likely mean that the business is constantly operating outside of its risk appetite. The statement also does not provide any data or metrics useful in gauging success, or details about the financial crime risk that is seen within the business. For a more useful risk appetite statement, businesses could include the number of AML, fraud, tax evasion, corruption cases it will accept, the number of high risk customers/transactions processed or any industries it does not want to work with and any other relevant areas where MI is recorded.  

So for example this statement would be better written as:

'“Bank ABC has zero tolerance for sanction breaches”.

Bank ABC has a low tolerance for financial crime risk. Based on the risk assessment and risk-based approach, the group is operating within the risk appetite below:

Money laundering

Internal suspicious activity reports reviewed within 24 hours

Monthly total of funds subject to an external suspicious activity report not to exceed 3% of the total volume

Tax Evasion

Transactions to or from high risk tax jurisdictions not to exceed 20% of total transactions 

Corruption

No more than 10 staff over 30 days overdue for online anti-bribery and corruption training


Examples of financial crime risk indicators:
Internal and external suspicious activity or suspicious transaction reports are a great place to start. As shown above, if a business categorises their reports into the core financial crime threats of money laundering, terrorist financing, fraud, tax evasion, corruption and sanctions they will have good data points on their main financial crime risks. By using these risk indicators and assessing your exposure to these risks through your risk assessment and MI, you will be able to effectively see if you are operating outside of your risk appetite and should look to mitigate or accept the risk.

A more mature business may look to set a risk appetite for the percentage of high risk customers it accepts or how many high risk transactions it processes, although financial inclusion should be carefully considered here as limiting the number of customers in or transactions to certain jurisdictions could negatively impact particular customer groups. Customers may fall outside of a business’s risk appetite, be it through their behaviours or the cost of safely managing the risks and requirements posed by that customer type. For example, certain industries may be off-limits, and if a client refuses to provide information or documentation, the business relationship may be terminated. 

Backlogs can represent as big of a risk to financial crime exposure and suggests that a framework is either under resourced or not efficient. If a FinTech is continuously operating from a backlog that continues to grow, they will be unable to manage the operational processes that exist to help mitigate financial crime risks. If a business sets a risk appetite for outstanding processes such as sanctions screening, transaction monitoring alerts or SAR filing, they will know when any backlogs exceed their risk appetite. This will give the firm a clear indication that there is a need for better efficiency or further resource.

For new products or new business lines, a firm should consider setting an initial risk appetite to manage any new risks and monitor financial crime levels as they establish a control environment. This could include limits on transactions, such as cash deposits, or limits on the amount or type of customers onboarded. These appetite statements can and should evolve over time as the firm starts to understand where the major risks lie and what behaviours they are able to tolerate and manage, and which they are not.

Our Recommendations

  • Set a risk appetite early in your journey, and if you are a mature business without a risk appetite, set one now, and use your data to determine whether you have been operating within it.

  • Work with your senior management team to set your risk appetite limits.

  • Link your risk appetite to your risk assessment.

  • Quantify your risk appetite using reliable data points.

  • Consider how you then practically implement your tolerance to risk into your wider financial crime framework

  • Communicate your financial crime risk appetite so the business knows what is and what is not acceptable. 

  • Assess and escalate scenarios or key risk indicators that fall outside your risk appetite with a view to reject, accept or control.

  • Track deviations from the risk appetite as part of monthly MI

Get in Contact

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at contact@fintrail.co.uk.






, ,

Risk Assessment: Back to Basics

, ,

By Meredith Beeston (FINTRAIL Solutions) and Allison Spagnolo (FINTRAIL Solutions).

Adopting a risk-based approach is the foundation of best-in-class anti-financial crime practice. Your anti-financial crime (“AFC”) risk assessment should be one of the cornerstones of that practice.

While financial crime risk professionals are familiar with the AFC risk assessment, also known as the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) risk assessment in the U.S., it can be easy to underestimate its true value in the risk management framework. Risk assessments often feel like a chore or little more than a check-the-box exercise to please your regulator. The AFC risk assessment, however, is one of the most powerful tools you have to reduce your exposure to financial criminals and should be designed to grow and evolve to match any new vulnerabilities. A properly-executed AFC risk assessment will close gaps in your compliance program and identify the appropriate policies, procedures and controls that should be implemented to protect your firm and your customers. To help you design a risk assessment of your own, we’ve gone “back to basics” and drawn on our experience with FinTechs to unpack the fundamentals of a modern and effective risk assessment . This post will explore features common to all AFC risk assessments and offer practical advice about how to design one for your company.

What is an AFC Risk Assessment?

In most jurisdictions, AFC risk assessments are indeed a regulatory requirement. The U.S. Bank Secrecy Act (“BSA”), the EU’s 4th Anti-Money Laundering Directive (“4MLD”), and the Financial Action Task Force (“FATF”) all require periodic internal risk assessments. Consider, though, that this particular regulatory requirement can also be an opportunity to meaningfully guide your entire AFC framework and not just a task to complete to avoid regulatory displeasure.


AFC risk assessments also serve as:

  • A map of vulnerabilities: It is important to understand the ways in which a criminal might seek to misuse your product. It is much better to proactively identify and address potential vulnerabilities instead of discovering them as part of a “post-mortem.”

  • A resource plan. Once you know where your vulnerabilities lie, you can consider the controls you need to tackle them, giving you the opportunity to better strategize how to divide up your company’s finite resources. For instance, which RegTech products are most worth the investment? What skills do you need in your next AML analyst? The answers to these questions will be resolved in the risk assessment.

  • A development strategy. In the FinTech sector, growth and innovation are a daily feature of the business. Your AFC risk assessment can and should guide these efforts - helping you select which jurisdictions are best for expansion, which product features offer the most potential with the least risk, and which customer segments to market to next.

  • A dialogue. Much like your company itself, your AFC risk assessment has to evolve. It should change to reflect insights and feedback from your senior management, auditors, consultants, banking partners and regulators. Each risk assessment - and its results - offers an opportunity to dialogue with relevant stakeholders about the future of the AFC risk assessment, resourcing and compliance program.

How do I Create an AFC Risk Assessment?

At their core, AFC risk assessments can be summarized in one essential formula:

INHERENT RISK - CONTROL EFFECTIVENESS = RESIDUAL RISK

Let’s break down each of these factors in a bit more detail.

Inherent Risk

Inherent risks are the financial crime risks you face before you apply any of your existing (or if you’re just starting off, planned) AML controls. At a high level, your inherent risks generally fall into three categories:

  • Who your customers are

  • What geographies you serve

  • Your unique product and delivery features

Then, you will need to develop criteria or questions about the specific financial crime risks your company and customers are exposed to in each area. While it is important to initially consider the broad categories of financial crime risk (e.g., money laundering, terrorist financing, and fraud), you will likely want to generate more granular questions. For instance, if you offer a prepaid card targeting students, you will want to specifically address the risk of money mule activity occurring on your platform. In another example, if you offer a direct debit service, you will want to consider how vulnerable your product is to transaction laundering.

You should be able to analyze the data you gather across your company. While many FinTechs we deal with have a single office or product, over time, your approach to gathering data to establish inherent risk will need to evolve. For instance, for a FinTech with branches in Europe, the United States and Asia, instead of asking, “Are you aware of any high risk or medium-high risk-rated customers in a branch’s customer population?,”  the risk assessment should ask, “Provide the number of high-risk customers in each branch.”

Where appropriate and where the information is available, the risk assessment should also seek volumes (i.e. with respect to transaction data and SAR data). This will help to accurately reflect financial crime exposure.

Based on the responses in the inherent risk portion of the risk assessment, an inherent risk score is generated. It is typically along the “Low,” “Medium,” and “High” spectrum. There is no one-size-fits-all calculation of the inherent risk score, and some institutions will develop simple scoring while others will create complex weighting systems. The key is that your methodology is clearly explained and can be replicated when you update your risk assessment.


Control Effectiveness

Control effectiveness refers to the capacity of the specific processes and systems you have in place to mitigate each identified risk. As with inherent risk, granularity is important here. The control effectiveness portion of the risk assessment should be tailored, so that each relevant control is assessed against the corresponding risk, and impartial, so that controls are accurately represented in their effectiveness. For instance, if the control effectiveness topic is “Payment Alert Investigations” and the inherent risk is related to the processing of a sanctioned payment, you may want to consider: “Do the procedures covering alert handling address what documentation should be collected to support the investigation of sanctions screening payment alerts?”

As with inherent risk, you want to allow for as much impartiality as possible in assessing control effectiveness, and to rely on clear data when it is available (such as false positive rates, rates of false IDs that pass KYC, etc.).

It is important to have an understanding as to whether each control effectiveness topic has meaningfully addressed each inherent risk, both precisely and with a wider understanding of your overall control landscape. If you have multiple products or branches, you may want to be able to draw comparisons across your company. Like with inherent risk, there is no one way to measure control effectiveness; the key is that your methodology is clear, objective and justifiable.


Residual Risk

Residual risk is the risk that remains once all your controls are in place. In other words, it is what you are left with after identifying inherent risk and applying your mitigating control effectiveness. It is unlikely that residual risk will be “Low” across the board, but that is normal and expected. Your residual risk score will help shape the broader financial crime risk appetite of your business. Knowing this risk level gives you the opportunity to consider issues such as whether your company is comfortable with a “Medium” residual sanctions risk when expanding into certain jurisdictions.

Case Study

AFC risk assessments are designed to be complex and comprehensive, so it is not possible to provide an in-depth breakdown of an example here. However, even through the brief case study below, you can see why completing an AFC risk assessment provides a clear benefit to a FinTech:

Scenario

A FinTech planning to offer individuals an app-based foreign exchange service, loaded through debit cards and bank transfers, decides to conduct an AFC risk assessment prior to going live with its pilot.

Risks and Vulnerabilities

The FinTech discovers a range of inherent risks to which it is exposed, with particularly alarming scores linked to potential sanctions evasion, attempted payments to sanctioned individuals or companies, financing acts of international terrorism through purported charitable donations, and money laundering connected to narcotics or human trafficking.

Managing Risks

The FinTech uses the inherent risk analysis to shape its controls in order to obtain an acceptable level of residual risk. The controls are designed to go beyond comprehensive monitoring and screening and robust KYC and adverse media checks. The company also limits the geographic scope of its product to non-sanctioned countries with lower levels of money laundering/terrorist financing risk, and designs its expansion plan so that geographic risk is added only incrementally. This increases confidence in the product, which allows it to be signed off by all relevant stakeholders.


Things to Remember

Here are a few key lessons to take away:

  1. AFC risk assessments are not “out of the box.” They should reflect the nature, size and scale of your business. If your business is just starting up, you can start with a simple risk assessment!

  2. AFC risk assessments should make sense. There is no need for over-complicating the questions or the scoring. You want to be able to communicate it easily across your company.

  3. AFC risk assessments evolve. While this is certainly true as it relates to your business growth, it is likewise true in relation to the evolving typologies that criminals try. If you learn about an emerging risk from a reliable source, consider adding it to your next risk assessment.

  4. AFC risk assessments do not result in perfect scores. You will never have zero risks. Rather, it is more important to be aware of the risk levels you do have and develop a comfortable risk appetite in response.

  5. AFC risk assessments are all about the details. Be sure the risk assessment is as useful to you as possible, keeping in mind all the ways it can add value beyond a simple regulatory requirement.

Help and Resources

If you have any other questions related to your AFC risk assessment or how to execute it, do not hesitate to reach out to FINTRAIL Solutions in the U.S. or FINTRAIL in the UK. If you are interested in further improving your risk assessment, here are a few key resources to consider:

  • The Wolfsberg FAQs on Risk Assessments: These Frequently Asked Questions are in-depth responses to common risk assessment inquiries. Remember, though, the risk assessment format and methodology that will work best for you will depend on your company’s unique characteristics (e.g., size, scale, and overall offering).

Do You Want the Bad News…?

The FFE and sponsor, the Regulatory DataCorp (RDC), have just released the FFE’s latest white paper on FinTechs’ use of Adverse Media Screening (AMS) .


In a survey of 39 members, the FFE found that over 75% currently use AMS as part of their compliance framework. Members used AMS throughout the customer life cycle and identified using the tool in support of investigations and SAR filing to be most valuable. Members found it most impactful when applied in a proportionate way, tailored to their specific financial crime risks.


The survey identified some issues, however. Members continue to struggle with the generation of high volumes of false positives generated by AMS, and were looking for more clarity from regulators on when to deploy AMS. Indeed, almost two-thirds of FFE members surveyed supported making the use of AMS a regulatory requirement, partly for clarity, but also to kickstart the RegTech sector into improving the accuracy of AMS solutions. While it is currently not an explicit  requirement for regulators in the UK, US, or EU, recent findings from the FCA have suggested that when well-executed, it can mitigate financial crime risks. Further guidance of this kind would clearly help FinTechs.


In the meantime, research and feedback from members suggest that the best approach is likely to be a proportionate one. To gain the most value-add from AMS, FinTechs should therefore employ it on a risk-based approach to gather the information most relevant to their risk profile, while making sure their solutions are regularly reviewed to ensure they operate at the highest level. If used judiciously, bad news can be good news for FinTechs.

FFE_RDC_AMS-01.png

To download the full paper, click here.

Sextortion: The Underreported Predicate Offence

Cases of sextortion are on the rise; however, as this type of crime grows in prominence, its relation to financial crime remains under-explored.

In May 2018, the National Crime Agency warned that tens of thousands of Britons were being targeted by ‘sextortion’ gangs. Reported cases have increased three times since 2015, and in July 2018, reports of a new, related phishing scam began making their way into our newsfeeds.

Sextortion is not a legal term and is used to cover a broad range of criminal activities. Interpol offer one of the best definitions, classing it as ‘blackmail in which sexual information or images are used to extort favours and/or money from the victim.’

Despite growing awareness from both a law enforcement and potential victim perspective, little analysis has been done on the financial crime implications of sextortion, which are potentially significant.

To help shed light on the subject, we explore three models here--detailing how they operate and what money laundering red flags you should look for.

The Phishing Scam

Over the past couple months, law enforcement agencies from around the globe and across the UK have identified a new scam whereby perpetrators email victims alleging to have hacked into their webcam whilst they were watching pornographic content. The perpetrators request sums ranging from USD$200 to USD$8000 to be paid in Bitcoin and have allegedly made USD$500,000 in total off of the scam thus far. Other phishing scams linked to sextortion exist as well, meaning funds firms might have seen laundered  - and would normally attribute to classic phishing scams - could in fact potentially be proceeds from sextortion. The likelihood of this could increase with time as the success of recent sextortion-related phishing campaigns becomes publicised.

Financial Crime Implications

  • Cryptocurrency payments-- payments relating to sextortion cases may be requested in cryptocurrencies, so efforts should be made to cluster and risk rate bitcoin addresses, and this information could be communicated with FinTechs whose customers deal in cryptocurrencies or who directly facilitate cryptocurrency exchanges and wallets.

  • Recurring payments to the same beneficiary-- the initial one-time payment could become recurring (though the value of each payment could change). Moreover, the payer and payee may have no other obvious connection outside of these payments.

  • New customers-- victims could be new to paying in cryptocurrency and may not use cryptocurrency exchanges outside of these transactions.

The Catfishing Scam

This type of scam is typically carried out through organised criminal efforts, where fake profiles of women are created and used to entice men into performing sexually compromising acts on camera that are then recorded and used as blackmail. Recent cases have seen such activity linked to Romanian crime groups and call centre-style establishments out of the Philippines. Some photos and videos used to create these women are assessed to originate from coerced activity.

Financial Crime Implications

  • Payments from victims--these could come through as FPS payments, and, like with phishing scams, could to be larger amounts followed by recurring payments of varying amounts.

  • Adverse media checks--some KYC details including contact information and residential address may be found through adverse media checks to be connected to alleged romance fraud, dating scams or catfishing.

  • Organised activity--as these types of sextortion scams are often centrally organised, network analysis can be conducted on suspect accounts.

The Blackmail Trade

Blackmail trading can be done through organised criminal groups or more decentralised networks. This type of sextortion typically targets women, and overwhelmingly women under the age of 18. In some cases, children’s sites have deliberately been exploited to find potential victims. It begins similarly to catfishing, with the victim being encouraged into sexually compromising activity, which is then used as blackmail to extort further sexual activity. When the perpetrator grows bored of the victim, they will sell the blackmail material (and by extension, the victim) to a buyer who continues the activity.

Financial Crime Implications

  • Perpetrator to Perpetrator payments--as the payments are for blackmail, amounts could be smaller sums (e.g., £50 to £200) that are one-off payments and may be done through P2P platforms as the parties may know each other. They could be less likely to recur.

  • Payment references--check suspicious payments for references to sexual acts, children’s websites and the name of a woman in a payment between two men.

In all of these cases, unlike other scams, victims rarely ever report the abuse. The implications can be devastating and have been linked to suicide and non-virtual sexual violence. Even when victims do manage to escape, the fear remains. More effort is needed not just to help potential victims protect themselves, but also to crack down on the financial trail behind these activities. The latter - if addressed correctly - has significantly more chance of identifying rings and perpetrators than relying solely on victims reporting crimes, and is another area where public-private partnership could be used to powerful effect.

If you’d like to further discuss this type of crime or other serious predicate offences and how they are financed, don’t hesitate to get in touch.


, ,

Cryptocurrencies and UK FinTechs: Perspectives and Experiences of Financial Crime

, ,

The UK FinTech FinCrime Exchange (FFE) has just launched its latest white paper on FinTech perspectives and experiences on the nexus of cryptocurrencies and financial crime.

Cryptocurrencies experienced a meteoric rise in both value and popularity at the end of 2017.

While the value of popular cryptocurrencies such as Bitcoin has declined, interest has remained. International governments have been slow to regulate the emerging market, and many in the traditional financial services sector and wider public have expressed concerns related to the ability of cryptocurrencies to facilitate financial crime.
This paper answers the following questions: how does the UK FinTech sector perceive the risks associated with cryptocurrencies, and how are they managing the challenges related to this new disruptive technology?

Our research suggests that while some UK FinTechs have considered engaging more with cryptocurrencies, perceived financial crime concerns, the need for meaningful AML/CTF controls and the lack of regulatory clarity have fostered an attitude of caution.

We found that perceptions of financial crime risk associated with cryptocurrencies differed from actual experiences of FFE members.   These perceptions had a disproportionate impact on how Fintechs chose to engage with cryptocurrencies, limiting their appetite for extending their exposure, and for some, that of their banking partners.

The paper recommends that FinTechs not be deterred by the challenges associated with cryptocurrencies, as financial crime concerns can be managed through tailored, risk-based anti-financial crime tools, and a solid understanding of any areas of concern through a detailed risk assessment process. Regulators as well as law enforcement actors should collaborate more with FinTechs in order to improve the broader understanding around cryptocurrencies, financial crime and new regulatory developments.

More detailed findings are presented in the white paper.

For more information on the FFE or on cryptocurrencies and financial crime, please contact the FFE Admin.

, ,

A Step in the Right Direction Toward Mitigating Cryptocurrency Risks

, ,

It’s a truth universally acknowledged that cryptocurrencies have the power to create a more dynamic, mobile and accessible financial ecosystem, and the enormous potential of the underpinning distributed ledger technology (DLT) for application outside the financial sector is nowhere near being realised.

But as with most great strides in innovation, there are concerns and risks to address, understand and mitigate as early as possible. FINTRAIL has a keen interest in this fast-paced arena and is working with the UK FinTech FinCrime Exchange (FFE) to publish a white paper later this month exploring FinTech perspectives on and experiences of cryptocurrencies.

In the meantime, UK MPs are launching an inquiry into cryptocurrencies, including exploring the financial crime risks related to cryptocurrencies.

A government review of the need for cryptocurrency regulation is no surprise. The explosion of growth in the sector continues unabated. The German and French governments  have called for greater regulatory coordination ahead of November’s G20 meeting. And the US Securities and Exchange Commission (SEC) has described cryptocurrency as an “across the border priority.” The UK inquiry also coincides with news that seven of the UK’s largest crypto companies have formed a self-regulatory body, CryptoUK, with the intention of promoting best practice and working with the government and regulators.

The Treasury Committee will no doubt consider the late-2017 revision of the EU 4th Anti-Money Laundering Directive (4AMLD), known as 5AMLD that delivers a definition of “virtual currencies,” which include cryptocurrencies, for all member states to adopt in AML legislation.[1]

In addition to the definition, the 5AMLD aims to mitigate risks associated with the use of virtual currencies for terrorist financing. To do so, the 5AMLD extended the scope of “obliged entities”, which previously included financial institutions, accountants, lawyers, estate agents etc., to include cryptocurrencies and other related services such as exchanges and custodial wallet providers. This is significant as it acknowledges that cryptocurrencies and their supporting services carry the risks of money laundering and terrorist financing and that KYC policies, EDD controls and transaction monitoring are required alongside the immediate submission of suspicious activity reports to law enforcement.

While adoption of the new rules into national legislation will take time the principles of the 5AMLD and the obvious appetite from EU member states, the US and the cryptocurrency sector itself to bring about a more coordinated regulatory position, will inevitably play an important role in the deliberations of the Treasury Committee.

Regardless of the outcome of the inquiry, government scrutiny of cryptocurrency at a time when uncertainty and volatility pervade the sector is an encouraging development.

As to the 5MLD, further work is needed to ensure legislation keeps up with the high-tempo cryptocurrency risk landscape; however, for the time being, EU acknowledgement that cryptocurrency carries financial crime risk is a much-needed starting block.

 

[1] Virtual currency is not synonymous with cryptocurrency. Virtual currencies are tradable digital representations of value that are not issued by any government and don't have status as legal tender. Virtual currencies can have a central administrator (as in the case of services like WebMoney, or game-based currencies like World of Warcraft Gold); or they can be decentralised cryptocurrencies, which use cryptography to validate and confirm transactions.

, ,

Unravelling the Complexity of Multi-Jurisdictional KYC

, ,

Scaling up is a natural part of any FinTech’s journey. This typically involves the exciting opportunity of offering your product or services in new jurisdictions overseas. However, this growth comes with significant regulatory and practical know your customer (‘KYC’) complexity that may expose you to regulatory risk.

Here are some factors to consider when adjusting your onboarding policies and procedures to support customers from new jurisdictions:

Onboarding Portal

You may think setting up in a new country just means copying and pasting your current onboarding portal into another language. Unfortunately, it’s not that simple. Some countries may have different legal entity types or have entity types that do not translate directly. There are also different types of identification numbers in some countries that are given to sole traders and businesses, so make sure to request the correct number. Be careful to ensure your initial KYC questions are clear in all languages on your websites and apps to prevent customer confusion.

Identification

UK Joint Money Laundering Steering Group (‘JMLSG’)  guidance recommends asking for an individual’s name, date of birth and address. But be aware, some countries require more information! In half of the countries we’ve looked at, national identification numbers, like social security numbers, were required. Place of birth and nationality were other common identification asks in other countries. This could require several operational changes, from rewriting some of your procedures, to redoing parts on your onboarding portal.

Verification of Companies

In the UK, many FinTechs will verify the identities of legal entities against Companies House. However, there is no registry for sole traders. In other countries, it is important to check if there is a register for sole traders that should be used for verifying identities as part of KYC, as around two-thirds of countries we’ve looked at had some searchable registry of sole traders. Furthermore, other countries’ corporate registries may not be as easy to navigate as Companies House--requiring you to purchase certain documents or existing as one of multiple company registries. Third party providers should be checked to ensure they are accessing data directly from your jurisdictions’ registries. Understanding verification options for companies and sole traders is important for simplifying your operations.

Documents

In the UK, a primary government-issued photo ID includes a passport, identity card, driving license, biometric residence permit or firearms license. However, in several countries, a drivers licence is not actually considered a primary form of photo ID for compliance purposes. For secondary documentation, while a document from a bank or utility provider may be acceptable in the UK, this is not always the case in other jurisdictions.

Beneficial Ownership

While the 4th MLD made it a requirement for countries to have a publicly-accessible beneficial ownership registry, this is still slowly being implemented in some countries. Of the EU/EEA countries we’ve checked, a UBO register was only available a little more than half of the time. Many countries outside of the EU have shown very little progress on the issue of a publicly-accessible registry of beneficial owners. Not being able to refer to a public registry of beneficial owners may add unforeseen operational costs and considerations that should be taken into account to ensure a smooth rollout.

Directors

JMLSG clearly outlines requirements for identifying a legal entity’s directors and senior management when commencing a business relationship. However, the vast majority of countries we’ve checked do not have explicit policies around the identification of directors. Some may include directors in their definition of beneficial owners, however. This ambiguity could lead you to having to rethink your AML/CTF standard operating procedure on who to identify.

Certification

When information is not easily available to verify through eKYC or checks against a registry, you may need to request certified documentation. Be sure to know the professional bodies of accountants and solicitors in each jurisdiction you operate in order to check the status of whomever has certified your customer’s documents. This will help you avoid any operational hiccups down the line.

Expanding your business into new countries or regions is really exciting, but is not a simple or risk-free process. The amount of nuance and complexity involved in each jurisdiction highlights the need for assessing the financial crime and compliance risks posed in each jurisdiction where you plan to operate. Not only is it important to check for regulatory differences that may create operational challenges in different countries, but also to check areas for higher corruption, identity fraud, money laundering and terrorist financing risks in order to determine whether you need to rethink any parts of your KYC policy.

If you ever have any questions on or need any assistance with managing the financial crime regulatory landscape of a new country or jurisdiction, don’t hesitate to get in touch for more information.

Free resources

Access free resources designed to help strengthen your anti-financial crime controls.

Partner with us

We love to support projects that combat financial crime -
get in touch to find out more.