ACFCS Exclusive Contributor Report: Wolfsberg Guidance on Customer Lifecycle Risk Management and Identity Verification – Virtual onboarding resurgence requires compliance convergence, deep dive on deepfakes  

The Skinny:

  • NICE Actimize AML Director, Ted Sausen, tackles a weighty new report by banking powerhouse, The Wolfsberg Group, which offers insight on the fincrime compliance opportunities and challenges in going fully digital when onboarding customers.
  • These challenges and tactics to overcome them are at the forefront of the Wolfsberg Group’s “Guidance on Digital Customer Lifecycle Risk Management,” released last month, with key considerations across the anti-money laundering (AML) program.
  • In short, the timely, rich and relevant guidance exhorts banks to champion fincrime compliance convergence, viewing the customer through more than just the lens of AML risk, but also from the perspective of fraud, corruption and cybercrime and then further augmenting those results with data outside the institution, including OSINT and social media. 

By Ted Sausen
AML Director, SME, NICE Actimize
April 26, 2022

With editing and content additions by Brian Monroe, VP of Content ACFCS

A just-released report by an influential cadre of the world’s largest banks tackles one of the most pressing issues in a world still in the midst of a global pandemic: how best to take on customers when, or if, they can’t or won’t walk into a physical branch.

This question takes on even greater importance than just ensuring a relatively smooth and stable customer experience when examined from the angle of financial crime and compliance requirements and duties to accurately calibrate potential risks for illicit activity – whether the individual is present in their corporeal form or not.

These challenges and tactics to overcome them are at the forefront of the Wolfsberg Group’s “Guidance on Digital Customer Lifecycle Risk Management,” released last month, with key considerations across the anti-money laundering (AML) program.  

To read the full nine-page report, click here.

In short, the timely, rich and relevant guidance exhorts banks to champion fincrime compliance convergence, viewing the customer through more than just the lens of AML risk, but also from the perspective of fraud, corruption and cybercrime and then further augmenting those results with data outside the institution, including OSINT and social media.

In seeking to “transition from traditional to more innovative mechanisms in the customer lifecycle,” Wolfsberg states that financial institutions (FIs) should consider the following:

·       Convergence urgency: Build a more holistic customer profile via a wider concept of identity that complements elements required under AML/CTF regulation with additional identity attributes (often used to prevent fraud or cybercrime), always in line with customer consent and applicable data protection regulation.

·       Seeing the big picture: Map the variables behind the holistic customer profile to internal or external data sources capable of alerting the FI to a possible change or deviation from the expected value of any particular data point or attribute, and structure data and the FI’s systems architecture in a way that facilitates the regular updating and tracking of these variables under a risk-based approach.

·       Overcoming the underbanked: Recognise that reaching the requisite level of trustworthiness on building the underlying customer profile is a risk-based decision, where, for example, certain local conditions, including support for 9 of 9 initiatives from competent authorities on financial inclusion, may warrant distinct approaches to identification, verification, and authentication.

·       Move forward, but have backup plans: Develop a robust assurance strategy focused on the key dependencies upon which the FI’s digital customer lifecycle risk management approach is based, assessing their reliability in line with existing frameworks and standards.

·       Working with regulators, not against them: Collaborate with competent authorities on digital initiatives aimed at increasing access to high quality identity data, including, but not restricted to, government-supported digital ID and similar accessibility initiatives that promote interoperability and facilitate access to financial services.

·       With more data power, comes more responsibility: Embrace as a design principle the recognition that using innovative technology for customer lifecycle risk management should be responsible — i.e., that the design and use of the technology is fit for purpose, secure, reliable, privacy preserving, consent based and accessible to consumers, and complies with relevant regulatory and policy requirements.

It’s no surprise that the The Wolfsberg Group chose to address this issue now.

The conglomeration is an association of thirteen global banks aiming to develop frameworks and guidance for managing financial crime risks – and how to bring on new customers safely and securely with only paperwork, copies and information is a challenge worldwide.  

Overall, the new report discusses how technology solutions can address many of the challenges outlined above, making anti-financial crime organizations more effective while improving the customer experience and overall satisfaction.

The guidance focuses on three core areas: identity verification, holistic customer profile, and movement from periodic reviews to a more perpetual or trigger-based review.

As banks adapted to pandemic, digital adoption surged

The Wolfsberg guidance is broadly welcomed by banks large and small, many of which have had to adapt quickly and figure out onboarding customers in new ways when the coronavirus pandemic caused lockdowns at country and regional levels.

Along with restaurants, and the cruise, hospitality, entertainment and commercial aviation spaces, many banks closed branches to customers – but still had the same cost and revenue pressures.

The result: banks that had been toying with the idea of digital onboarding made quick changes to take the process mainstream, while other institutions went from not having a process at all to some semblance of virtual onboarding in a matter of weeks or months.

Even so, one thing institutions may have struggled with in this slapdash scramble is understanding where and how their AML programs also needed to be tweaked, tuned and upgraded to better weave in and scrutinize the digital dimensions of customer risk.

The taking on and shepherding of digital customers throughout the course of their relationship with an institution does have connections to fincrime compliance programs more broadly.

On the positive side, taking on lower risk customers quickly in a digital way could free up sparse resources typically needed for more thorough and manual risk ranking exercises.

These efforts are critical and form the foundation of the modern AML program, sensitizing the transaction monitoring system to be more sensitive in producing alerts for higher risk entities.

As well, banks could open themselves up to more regions of the world without the need for a physical person to open that personal or business account – a potential boon to law enforcement if institutions gain access to the unbanked, underbanked or even previously de-risked.

But as with any newer trend hewing more toward technology than human decision-making, there are risks.

Speed in verifying identities and opening accounts can also lead to errors or be gamed by increasingly creative criminals, who in recent years have become adept at creating false and synthetic identities that, at first blush, seem like real people with real account histories and real pictures.

There are even full sites like this-person-does-not-exist.com that shows the ease at which artificial intelligence and related tools can be used to generate completely fake, and very lifelike, images of faces.

So while in some respects technology and digital identity adoption and lifecycle management can be an answer, it can also be no substitute for properly trained analysts and investigators who don’t take their digital faces at face value. 

Digitizing customers: better technology grabs them, stronger AML scrutiny keeps them

But to understand how the banking sector got this point – going fully digital when it comes to human interaction – you need to understand where we have been, from the revenue and compliance sides.

For the last several years, regulatory agencies worldwide have encouraged financial institutions to take a “risk-based approach” to financial crime management.

Regulators have guided financial institutions to build programs that focus on where the risk lies, taking into account key factors such as products, transactions, and jurisdictional differences.

Many financial institutions are placing considerable emphasis on ensuring they know who their customers are at the onset of the relationship and then throughout the relationship.

Financial institutions needed to train their relationship managers and onboarding staff to identify fraudulent documents to ensure that the person or entities they were doing business with matched the documentation provided.

Many times, in the case of individuals, that required a face-to-face meeting to ensure the documentation being presented genuinely belonged to the person opening the account. 

As technology progressed, there began a shift in onboarding processes.

First, they became more digital, where much of the information, or data, was collected electronically and then matched the documentation provided.

This eased much of the operational costs of transforming the physical documents into meta-data that could be used for other purposes, including ongoing financial cime compliance monitoring of those customers.

The last two years have seen a dramatic shift in this space in four significant ways.

First, technological advancements have made their way into fighting financial crimes by doing it better and cheaper.

The world has also seen a substantial change in how it does business.

There are fewer in-person meetings, including those which previously required people to go to brick-and-mortar buildings.

Consumers also have a marked change in attitude – people want things done quickly and with as little effort as possible.

With all these drivers, change was inevitable; however, the speed at which it occurred was surprising.

Even so, banking groups responded – and did so at lightning speed.

Financial Institutions began implementing digitized solutions in a few weeks, projects that usually would have taken several months, or even years.

Real world examples of digital upgrades: skipping steps to get ahead – in line and life

There is obvious pain with bank technology, systems and program upgrades, particularly when they are done quickly and in the stressful crucible of a turbulent and tumultuous global pandemic.

But some companies who have already conquered some of those challenges are already reaping the benefits – and customers are noticing.

Which ones?

Customers like me.

The process of Identify Verification has seen a bevy of advanced, innovative and effective technologies coming into this space, although it has not been without its limitations.

As a quick sidebar, I have to tell a story about a recent return from an overseas trip.

Everyone dreads the lines at immigration and border patrol. I use Global Entry, an expedited process for getting through the different checkpoints, much like Registered Traveller in the UK or Nexus in Canada.

I was used to going to a kiosk and dealing with a multi-step process:

  • Putting my passport in the scanner
  • Getting my fingerprints evaluated for verification purposes
  • Answering several standard international re-entry questions
  • Getting my picture taken
  • And finally, waiting for a printed form

This time, the experience was quite different and gave me a concrete glimpse of how speedier digital analysis and processing could result in a much smoother customer experience – in this case mine.

I approached the kiosk, and the first thing it did was take my picture.

Almost immediately, my personal information appeared on the screen, and my trip information was in front of me.

I received a simple printout, and I was on my way in about 30 seconds. I have to admit, I was impressed at their facial biometrics technology, all from comparing it to a passport picture on file.

This is precisely what the Wolfsberg Group guidance discusses: non-face-to-face identification and validation. 

Is more speed and accuracy possible for capturing digital customer risk? Yes, according to Wolfsberg

With many financial institutions shrinking their brick-and-mortar footprint, this may be the future standard, which comes with many benefits.

First, the verification is superior, and the technology is far more reliable, than an actual person comparing a photo ID that could have been taken years ago to the person standing in front of them. 

The speed at which this is done makes the process flow much more quickly and in a more repeatable, manageable manner, making the onboarding process a better overall experience for everyone.

Think of it like this: a faster and better customer experience for one person means fewer lines, the lines moving at a more rapid pace and less stress for all – a nice benefit whether you are waiting to board a plane or get critical access to the global financial system.

In addition, the customer saves time traveling to a physical location during the verification process.

Still, the financial institution can also leverage data from different sources to obtain the information they need without the added touchpoints to the customer, improving that customer experience even more.

The end goal is the same, a bank at the end of the day has a newly onboarded customer who has been verified through the digital information provided.

In tandem, the information has been analyzed for fincrime compliance risk-ranking purposes by humans and technology – things like OSINT, PEPs, negative news – and the institution has a finalized profile that accurately identifies the risk, all while improving the customer experience.

Financial institutions must understand the risk of a potential customer at the onset of their relationship and throughout the relationship as it may evolve.

The Wolfsberg Group refers to this process as “progressive identity” – building out a customer’s digital presence over time.

This can be accomplished by continuously monitoring clients using both internal and external data sources.

External sources can provide many types of data that may be useful, such as phone numbers, email addresses, lengthy history of physical addresses, changes of address, social media content, etc. 

In many cases, the bank has a host of allies in this identity verification battle in the form of data, government databases and other information available through Application Programming Interfaces (APIs), which are software intermediaries allowing two applications to talk to each other. 

Some governments make a variety of APIs available to financial institutions.

These APIs allow institutions to access information used for validation or to supplement profiles with information such as occupation history, credit history, marital status and more.

Access to such a wealth of data comes with great benefits over time.

Financial institutions can discover hidden risks that may not have been found using traditional question-and-answer methods.

There is a fine line between asking a prospect questions to identify any potential risk, versus asking too many questions that cause friction and cause the customer to go to another institution.

With all this information, financial institutions can build an extensive digital footprint that can be used for continuous fincrime compliance monitoring and focusing mainly on customers that pose a heightened risk of financial crime activity.

Perpetual Monitoring Mode: putting an end to periodic reviews, period

Financial institutions are moving toward a continuous or perpetual monitoring mode of operation.

Traditional Periodic Reviews are time-consuming and costly yet do not always yield effective results. With constant monitoring, financial institutions can more quickly detect changes in events.

As addresses change or a customer’s product mix changes, the information is captured near real-time. A customer can then be re-evaluated for any changes in risk.

Wolfsberg recommends taking each risk factor and mapping them to internal and external sources that can be used to detect any activities/changes that show deviation from expectations.

Financial institutions may also use their internal knowledge to reduce some of the noise this type of monitoring may cause and even help to reduce additional customer frustration – in particular by taking the need for a human on the other end of a phone line out of the equation entirely.  

For example, I like to travel internationally. I cannot tell you how often I have had to make unpleasant phone calls to my credit card company that put a hold on my card due to unusual behavior.

The last thing I want to do is spend my travel time waiting on hold for someone to remove the block on my card. 

Yes, that did cause friction, and no, I am no longer with that institution.

My current provider uses its internal and external partners to reduce the noise and friction on my account. They know when and where I am traveling and better understand what is or is not unusual.

They have the benefit of reducing unnecessary alerts, they have the advantage of not having people spend their time on the phone asking questions about the transactional activity on the card, and I have the benefit of not being on the phone during my vacation.

In summary, times are changing due to various world events and changes in technological capabilities, and we must continually adapt – the worldwide pandemic over the past more than two years and burgeoning artificial intelligence sector are just a few examples.

This is not the first time that technology and social change have created such a significant transformation.

I once was given an example by a co-worker. When spreadsheets like Lotus 1-2-3 and Microsoft Excel first came out, accountants everywhere feared their jobs were in jeopardy.

But, instead of losing their jobs, it just changed how they executed their work.

Our traditional means of gathering information have changed, and we must not just embrace it but also take advantage of it.

We need to leverage the digital shift to further our systems to fight financial crimes. However, there is one word of warning. It is critical to understand where your sources of information are coming from, how reliable they are, and that you are using them appropriately.

In this measure, Wolfsberg and other regulators are in complete agreement. 

Staying ahead of the bad guys: don’t let them fake it until they make it

Leveraging technology will bring us wide and confident strides forward with many of the benefits detailed above. 

As we noted above, how quickly and completely customers are onboarded and accurately calibrated for AML risks has direct import to your compliance program operations.

Some potential improvements include anti-financial crime solutions becoming more agile and programs themselves becoming more operationally effective.

Another less ballyhooed offshoot: The respective customer bases of these institutions seeing significant improvements in their services – mostly because the bulk of the upgraded analyses of their digital lives is happening on the back end in bank systems, not in customer service waiting lines.   

This baseline of success is making it easier for financial institutions to take a renewed and enhanced risk-based approach to the next level. 

Going forward, I predict that there will be more confidence in applying a simplified due diligence approach for perceived lower risk customers without the fear of missing hidden risks, freeing up resources to focus on those customers with a heightened risk of money laundering behavior.

But what we need to remember in this environment is that advanced technology can work for both the good guys and the bad guys. 

I can’t help but remember back in 2020 when Channel 4 in the UK aired a deepfake  Christmas message from the Queen that was incredibly convincing.

The broadcast really looked as though the Queen herself was delivering that message.

The only giveaway that it was not the Queen was the obvious satirical content being delivered.

This example proves that financial crime solutions need to continually adapt, and even aim to be multiple steps ahead of those bad guys who may be armed with advancements of their own.

As financial institutions are using technology for good, there are many bad actors out there using technology to facilitate their illicit activities. 

About the author

Ted Sausen is a Subject Matter Expert within the NICE Actimize AML Line of Business. His role focuses on ensuring the Actimize AML technology solutions align with regulator expectations and the needs of the customer.

He has over 25 years of experience implementing global enterprise solutions across multiple industries including high tech, financial, transportation, and manufacturing. He supported engineering, finance, supply chain, product safety, and regulatory compliance.

Prior to joining NICE Actimize, Mr. Sausen was a Senior Vice President at a large financial institution, leading the Global Compliance Analytics and Technology group.

His role focused on implementing strategic solutions to fight financial crime, and supporting Global Economic Sanctions, AML Framework and Advisory, and the Financial Intelligence Unit. Mr. Sausen received his Certified Anti-Money Laundering Specialist (CAMS ) Certification.