Reducing financial crime is a key concern and regulatory expectations are high. Last year, regulators issued fines of £6.2 billion for anti-money laundering (AML) related breaches across the globe –- double that of the previous year. Despite the high cost of a regulatory breach, some smaller firms still rely on manual processes and Excel spreadsheets to identify suspicious transactions. There are three key areas where you can use technology, at a fairly low cost, to support AML and counter terrorism financing (CTF) processes:
1 Transaction monitoring, sanction screening and customer risk rating
2 Identification and verification
3 Payments and cryptocurrencies
Using technology effectively can improve performance, reduce overheads and turn compliance into a competitive advantage.
Transaction monitoring, sanction screening and risk rating
Using machine learning
Data analytics tools can assess a large amount of data to identify suspicious activity, but it uses deterministic rules-based logic, which returns a high number of false positives and not that many true positives. Machine learning can reduce the number of false positives, leaving fewer red flags to check for suspicious activity.
The main drawback to machine learning is data quality and volume. There may be a bias in your underlying algorithm training and validation datasets. This could be due to collection methodologies and unconscious observer behaviours, which will affect your machine learning algorithm. External events, such as coronavirus, can cause unusual patterns of behaviour that would not apply in the long term, again affecting your dataset.
Then there's the question of volume. In reality, true positives are rare, so you may not have enough data to teach the algorithm what to look for, again creating a bias and reducing reliability. The extent of that bias may vary depending on what you're looking for and the number of true positives found. For example, if you’re sanction screening you may only find one true positive a year. But you may find more in transaction monitoring, depending on your risk appetite and what you’re screening for.
Meeting regulatory expectations
How the algorithm uses and assesses the data must be reliable, repeatable and explainable, which is an important regulatory requirement in areas such as credit scoring. Bias in datasets and algorithms can negatively affect your customers, and integrating technology with manual checking is vital to maintain good conduct and make sure you continue to treat customers fairly. This is an area of concern for regulators, and you should fully document the risks and mitigating controls.
At an organisational level, aim to focus on collecting good quality data in a consistent format. It's also important to consider what unintended data the algorithm is collecting and review if it is appropriate to continue to do so. Under the General Data Protection Regulation (GDPR) there may be implications for data storage and retention. At a sector-wide level, pooling data across multiple organisations may be the best way to inform machine learning in the long term. While this will reduce concerns over the volume of data and the sample size of true positives, issues such as unconscious bias and data protection will still need careful management.
In the short term, if you have lots of data for recognisably false positives, then you can determine true positives by a process of elimination. Traditionally, alerts need manual checking and cross-referencing against a range of databases and online resources.
Robotic Process Automation (RPA) can speed up this process, giving your team more time to focus on areas that need specialist, manual input. Essentially, RPA is like a macro but it works across multiple programmes on a device and can conduct online searches. RPA can be fairly cheap to implement, but its success depends on a robust testing cycle and ongoing monitoring. Adopting the new tech may be difficult to manage and you should also consider the risk of reputational damage as you may not need as big a resource pool on a day-to-day basis. Reducing the size of the team may introduce new risks in the long term, as there will be spikes in genuine activity that need manual intervention, for example due to weakened controls because of lockdown.
Seeing it visually
Graphical network analysis is a useful tool to visually represent a person’s network for onboarding or to follow up suspicious activity, making it easier to see where to look next. While many of the tools that can be used to perform network analytics are open source, there can be a steep learning curve for people using them, even experienced data scientists, and you may need to provide additional training options. Training should include regulatory implications including data protection, retention and destruction requirements.
ID and verification
Machine learning can also support ID and verification (ID&V) during onboarding. Traditional models needed a person to come into a branch to verify their ID when opening a new account. With machine learning, a customer can take a selfie video and hold up their passport, which the algorithm can check instantly.
Challenger banks have embraced this technology to make the process more user-friendly, with as few as 24 clicks to open an account, versus 80 or 90 clicks for more traditional models. Many banks also use silent authentication, such as accessing the mobile app with a thumbprint, for ongoing Know Your Customer processes. Speed is more convenient for the customer, and can give your business a competitive edge. But it’s important to strike the right balance and make sure that the ID and verification process remains robust, including human intervention at key control points.
Looking further ahead, customers may not need to send each firm proof of ID and it could become another shared tool across the sector. Leveraging blockchain technology offers a secure and immutable mean of recording data, making it ideal for storing personal records as a centralised database. Every time a customer needs to verify their identity, the bank could simply draw the information from the blockchain, adding further information as needed. Privacy is the main concern here and it would probably rely on individuals giving an encryption key to access the data on a case-by-case basis. This would be a low-cost, secure and long-term solution for the Know Your Customer requirements of anti-money laundering regulations.
Payments and cryptocurrencies
Cryptocurrency isn’t always popular in anti-money laundering circles, mostly due to Bitcoin’s anonymous wallets which make it difficult to trace who initiated or received a payment. But new cryptocurrency regulations coming into force in the UK in 2021, combined with the fifth Anti-Money Laundering Directive, should reduce anonymity and offer greater oversight of end-to-end payments.
Cryptocurrencies with identifiable counterparties can improve businesses processes. Some firms are using Ripple as an alternative method to process global payments. Ripple supports a real-time gross settlement system and foreign exchange processing, costing significantly less per transaction. It also supports best execution as all transactions are visible and immutable on the blockchain.
Data is the expensive part
If you’re looking to reduce the cost of anti-money laundering compliance, optimise resourcing models or streamline processes, these tech solutions can help your business. As the sector inevitably moves towards greater centralisation, with pooled information and processes across the market, you should look at how your business will be set up to support that in the long term.
None of the above tech options are particularly expensive and many are available as open-source products. In most cases the expensive part is collecting and maintaining the right data, in the right format, as well as effective testing and monitoring. Key areas to think about include:
- How is your data currently collected and cleansed? Is it in a consistent format?
- Do you have enough data to support machine learning? Can you identify true positives by a process of elimination?
- If you’re already using machine learning, are you using it for its intended purpose? Is it effectively monitored and tested? Are the results reliable, repeatable and explainable?
- Would RPA reduce resourcing pressures? Have you considered the reputational risks?
- Have you considered the use of a blockchain for centralised secure record management and global payments, and have you considered the implications for your business in the future?
- Do you have a suitable governance and risk management framework in place to support new technology applications?
- Does your team need further training?
Early adopters for new tech often get a competitive advantage and improve agility as the sector evolves. But finding what works for you depends on the services you offer and your unique risk profile.
By Jamie Crossman-Smith, head of Data Assurance Services at Grant Thornton UK
How can Grant Thornton support your company?
Count on our teams of global experts for more information on anti-money laundering, appropriate tools and how we can help you make the best use of available technologies according to your business reality.