ACFCS 2017 Conference Part 2: Five innovative ways to address key fincrime compliance challenges
Thursday, October 26, 2017
Posted by: Brian Monroe
By Brian Monroe
October 26, 2017
Harnessing, validating and scoring data, including customer risk rankings and transaction details. Swimming current and historical data with new sources, like social media. Extending broad-based compliance training to all areas of an institution to counter a growing threat landscape.
Those are some of the key obstacles the financial crime compliance community is facing that were tackled at the 2017 ACFCS Annual Financial Crime Conference, which took place last week in Boston. Here are some innovative ways to address five major challenges faced by compliance officers, regulators and law enforcement. To read part the first story covering the ACFCS Annual Conference, please click here.
The conference included more than two dozen panels and nearly 50 speakers, including current and former compliance officers, regulators, investigators, journalists, artificial intelligence and machine learning tech wizards and others covering the entire spectrum of financial crime.
The challenges and opportunities in big data
One theme that wove through the conference, highlighted by speakers in the public and private sectors, was the challenge posed by data management in compliance programs, particularly data integrity, validation and quality.
The problem, according to speakers, is best tackled when broken down to its component parts: collecting the data, validating the data, and validating that systems are receiving and reading it properly.
In some cases, banks have missed entire “entire swathes” of customer types and data because they didn’t realize the information wasn’t being properly collected, wasn’t being fed into the system due to a glitch or oversight, or were erroneously added to a “lower risk” list that actually included a bevy of higher risk entities, according to panelists.
Transaction monitoring solutions are one of the biggest data management pain points, according to one panelist.
“The feeds into those solutions are not always correct,” said the person. “They are based on someone who made a decision 10 years ago, so certain types of customer or accounts might not even have been fed into the system. When data goes in, a bank has to ask what are the parameters. Maybe they haven’t been updated in 5, 10 or 15 years.”
In another example, one bank didn’t have country information for 45 percent of international wires, with the system defaulting to “low risk,” which was not accurate, resulting in a major penalty and remediation.
Representatives of US regulatory agencies present at the conference noted that data integrity would be a priority in examinations and oversight. Those rising expectations at the federal level mirror many of the key objectives of another key regulatory development explored at the conference - New York’s Rule 504.
Released in June of last year, the regulation by New York’s Department of Financial Services (NYDFS) create new requirements around the creation, testing and updating of transaction monitoring and sanctions screening systems.
The final rules call for institutions chartered in New York to adopt risk-based anti-money laundering (AML) and anti-terrorism financing systems that monitor for suspicious and aberrant transactions, create alerts for further investigation by compliance staff, and filter for sanctioned individuals and entities, among other objectives – formalizing what had long been industry best practices, but adding significantly more granularity, specificity and liability.
Broadly, the rules put enhanced scrutiny on the transaction monitoring and filtering systems banks use to detect financial crime, sanctioned persons and other blacklisted groups.
The rules evinced an increased regulatory focus on the decision-making of staffers analyzing generated alerts, and the quality and accuracy of the underlying data flowing through the programs.
Social media, leaks give context to customer data
But to make things just a little bit more complicated, regulators, banks and law enforcement are analyzing if the internal data generated by bank customer risk rankings and automated transaction monitoring systems should also be paired with details collected from other outside data sources.
With the goal to create more connections to possible suspicious activity, institutions are looking to swim internal data against outside sources, including social media, open source intelligence, and information from major leaks, like the Panama Papers and Wikileaks.
Part and parcel of that initiative is also to score, vet and validate the data – a challenge in and of itself when details are garnered from a selfie-strewn Facebook feed.
Such forward-thinking actions by banks create a tension between the various stakeholders in financial crime, potentially producing better SARs for investigators, but opening up criticism by examiners due to possibly inaccurate social media results.
The upshot is that it could yield a detail that completely upends a risk rating, such as a local low risk business owner that, according to Facebook comments, has business or familial ties a region known for terror support or near conflict zones.
As well, a lack of social media presence can also reveal that a company is a fraudulent shell, while a company or individual who regularly posts on Facebook, LinkedIn or Instagram could prove to examiners they are deserving of a lower risk ranking.
Closing the training gap in the face of new threats
Another major vulnerability in banks across the country, regardless of size, is a lack of broad-based training – including AML, fraud, corruption and cybersecurity – that extends beyond compliance departments and is given to front line employees, branch managers, business line executives, and is made available to foreign affiliates, subsidiaries and correspondents.
A conclusion from one panelist is that the threat landscape has changed, and training compliance teams on only one area of financial crime is not enough – while giving basic training, or tailored training, to non-AML staff won’t adequately defend against more aggressive and determined organized criminal, terror and hacking groups.
“Financial institutions are dealing with a much greater range of threats than ever before,” said the person, adding that rank and file bank staff, including relationship managers, and employees in every jurisdiction of a company must be responsible and accountable for understanding things like cyber and corruption risks.
For instance, one person at the lowest level of a bank mis-clicking on a ransomware email or malware link is all it takes to open the door to a larger, more expensive cyber incursion. In that same vein, one employee of a foreign affiliate unfamiliar with the risks of corruption, and allowing a foreign finder to operate on the bank’s behalf, can open the door to a corruption penalty.
Going a step further, some financial institutions have even added training for customers, including requiring them to read and check boxes to look for fraud or, after meeting certain scenario parameters – say for a customer that seems to have fallen victim to a romance scam, lottery scam or Nigerian prince scam – company staffers will call the person to find out if they are the victim of a fraud.
Stronger public, private partnerships to identify illicit acts, groups
Federal investigators might also help banks more directly with sniffing out criminals, fraudsters, terrorists and money laundering syndicates through a new pilot program.
In the initiative, the U.S. Treasury is using Patriot Act 314(a) powers to share with banks more details on individuals, entities, companies and regional trends that could attempt to move illicit funds through an institution or defraud the operation or its customers.
As well, the U.S. is considering a standing public - private working group to allow federal investigators talk to compliance officers in an open forum to better dialogue and dissect criminal patterns, with financial institutions getting new insight before a customer ever walks through the door and law enforcement potentially getting more detailed and timely SARs.
The initiative is envisaged to engage a model similar to the United Kingdom’s Joint Money Laundering Intelligence Task Force (JMLIT).
Established in May 2016, JMLIT was developed with partners in government, the British Bankers Association, law enforcement and more than 40 major UK and international banks to better tackle grand scale financial crime schemes.
The taskforce has “analyzed information and expertise in the public and private sectors to better understand the true scale of money laundering and the methods used by criminals to exploit the UK’s financial system and terrorists using the financial systems to finance attacks,” according to the group.
Old regulations struggle to handle new technologies, for good or ill
Several current and former public officials lamented that antiquated and outdated AML regulations are not keeping pace with the expansion rate of new technologies, including virtual currencies, the blockchain, fintech, regtech and other new strategies to store and exchange value.
That means federal regulators and fintech and regtech firms will have to take a different approach to working together, attempting to craft regulations together – with financial crime compliance countermeasures baked in from the beginning – and come up with new techniques to remove the anonymity associated with certain virtual currency platforms.
Moreover, while some regulators push the adoption of non-documentary customer identification techniques, criminals just as easily and quickly try to exploit such moves by stealing and creating fake identities, a burgeoning problem now with dark net sites awash with identities stolen in the spate of historic data breaches occurring in recent years.
That same spirit of partnership could also create fintech firms with new ideas to better know customers without ever meeting them and forge relationships with regtech firms at the cutting edge of artificial intelligence and machine learning that help financial institutions lower alert volumes, create reports that form the foundation of investigations and truly start to thwart international criminal money laundering networks.