Matthew Long, Director, Financial Crime & Compliance Solution Consulting, Oracle Financial Services, discusses why organisations in the financial services sector can no longer rely on outdated compliance systems and how they can optimise next-generation technologies to build the best cyber defence.
An increasing number of European banks and their supervisory authorities are being drawn into money laundering allegations.
According to the Organised Crime and Corruption Reporting Project (OCCRP) the latest allegations on ‘Troika Laundromat’ involved the use of a complex network of 75 shell companies moving billions of US dollars belonging to wealthy Russians – including politicians and prominent business heads – into major Western banks. The funds were allegedly used to purchase properties in Spain and Austria as well as high-end luxury goods including yachts and chartered jets. This has ultimately resulted in criticism for failing to prevent potentially criminal Russian funds moving through their branches across the world.
The allegations of Standard Chartered and Danske Bank processing suspicious transactions has already exposed serious and potentially fatal shortcomings in risk and compliance processes among some of the most established financial institutions in the world. At the time of writing, Danske Bank is facing EUR 1 billion of damages filed by up to 70 investors, following allegations that EUR 200 billion of suspicious transactions had filtered through its Estonia branch between 2007 and 2015. The Danish bank revealed 1% (around 28,000) of its retail customers had left the bank, while its chief executive and chairman have both been recently ousted.
Denmark was previously viewed as the bastion for well-managed and tightly-regulated banks, but the Danske Bank scandal is causing ramifications far beyond plummeting share prices. It’s eroding trust among the Danish people, with the percentage of Danes who find the bank credible sinking to a meagre 46%, the lowest since credibility recordings began in 2008. There’s a tangible erosion of brand value becoming a clear cost to business if these issues are not addressed.
Clearly, the stakes have never been higher, yet many banks persist in using outdated, time-consuming rules-based processes for their anti-money laundering, KYC and due diligence that can easily be circumvented by money launderers and other nefarious opportunists. As more high-profile cases of financial crime come to light, the question is: why aren’t financial institutions able to catch them earlier, and how can they better police their own practices?
Hiding in plain sight – how are criminals getting away with it?
As the ongoing ‘laundromat’ exposure suggests, criminals rely on a sophisticated variety of techniques and mechanisms to obscure their ownership and control of illicitly obtained assets.
The most pervasive vehicles for financial crime are shell companies. These organisations will essentially ‘hide in plain sight’ by using global trade and commerce infrastructures to appear legitimate. Ironically though, prosecutors are often left chasing shadows when attempting to bring this sub-breed of financial criminals to justice.
Due to the anonymity of their ownership, shell companies represent the perfect conduit for money launderers, fraudsters, and other financial criminals seeking to hide their assets and evade taxes and launder criminal funds. It’s becoming far too difficult for law enforcement to pin down the true beneficial owners of these shell entities.
A number of European countries, including the UK, have introduced legislation for public beneficial ownership registers in an attempt to crack down on shell companies. The registers would require owners of overseas companies investing in property to be named on a public register, making it more difficult for them to hide.
However, in a recent report on economic crime made to the UK Treasury committee, one of the main concerns highlighted is that the agency that registers UK firms, Companies House, is not required to carry out anti-money laundering checks. The committee claimed this is weakening the UK’s system for preventing economic crime and that the UK government should urgently consider giving the agency powers to verify information given by those forming new companies.
Technology essential to outsmart criminals
As the headlines and enforcement figures consistently show, the financial services sector can no longer rely on outdated compliance systems and armies of analysts and investigators to help tackle this challenge.
Given the high volume and complex nature of today’s transactions, combined with opaque and disparate relationships and connections between customers and entities, financial services companies are turning to technology that can better identify and process all the hidden and known connections between legitimate customers, businesses, criminals, PEPs, sanctioned entities and shell companies.
AI and machine learning can then create accurate risk profiles or risk scores to determine whether or not banks should enter into a potential client or customer relationship – with anomalies or suspicious activity flagged for further investigation by analysts.
Financial institutions can also start using machine learning algorithms to query and question the links between entities with more speed and efficiency than a pair of human eyes. Systems can also be trained to present case recommendations to analysts based on topology analysis of the case in question against the history of similar investigations and decisions, similarly on the most effective, suspicious behaviour detection scenarios to use, to help reduce the noise of false positives and ensure resources are more effectively focused on the highest risk areas.
But for this to work, all that data needs be organised in a much more effective manner. Currently, when screening individuals against internal and commercially available watch lists, firms typically look at customer name, address and date of birth. For corporate accounts or transactions, this extends to company registration details, along with information regarding key executives, stakeholders, and beneficial owners.
However, anomalies and inconsistencies will often crop up, influencing the accuracy of the screening process and its subsequent results. Many organisations also hold their data in international language scripts, which makes it difficult to compare this data against commercial watch lists and sanctions.
Data holds the key – preparation is the best form of defence
When screening individuals against internal and commercially available watch lists, firms typically look to the customers’ names, addresses and dates of birth. For corporate accounts or transactions, this extends to company registration details, along with information regarding key executives, stakeholders, and beneficial owners.
However, anomalies and inconsistencies will often crop up, influencing the accuracy of the screening process and its subsequent results. Many organisations hold their data in international language scripts, which makes it difficult to compare this data against commercial watch lists and sanctions.
It’s clear that simple data cleansing isn’t going to make the grade in our increasingly-sophisticated threat landscape. More extensive profiling and auditing of data ahead of screening is paramount. Financial institutions must start collecting data concerning nationality, country of residence, membership in certain regimes or political parties, close associates (otherwise known as secondary identifiers), and writing system used.
Often this level of detail will allow for the removal of those pesky anomalies or inconsistencies, such as white spaces, questionable characters, or fields requiring only one entry that suspiciously contain multiple values, such as a company name or job title. Data can then be optimised to adhere to the original rules that were set.
Effective screening will differentiate between individuals and entities with common names but will have discrete match rules available that can be activated. With the correct definition and application of rules to customer and list data sources plus the use of secondary identifiers as part of the screening process, false positives can be reduced to a minimum without increasing risk.
This approach empowers organisations to more accurately deploy the risk-based approach demanded by regulators and allows compliance teams to focus their time and investment on higher-risk, higher-probability and higher-complexity issues. This is where the human touch truly adds value.
There will always be nefarious activities, but increasingly, forward-thinking organisations are bolstering their defences with machine learning, AI and more fastidious data preparation. So, if your business is exposing itself to these risks without the proper consideration, you may be part of the problem, not the solution.
Discussion about this post