ACFCS Special Contributor Forecast: Data Privacy, Protection Challenges and Risk Management Concerns Will Lead AML Compliance Direction in 2023

By Adam McLaughlin
Head of AML Strategy, NICE Actimize
Dec 29, 2022

With editing by ACFCS VP of Content, Brian Monroe

Regarding financial crime, we have ended a roller coaster year.

The UK pushed through the Economic Crime Act with unprecedented speed, the sanctions landscape changed overnight with Ukraine and Russia conflict, and there was political uncertainty both in the UK, with a number of Prime Minister changes and in the US with the midterm elections.

Any one of these events can impact the focus and direction of financial crime, but all told, it kept compliance, including AML, fraud and sanctions teams, regulators, investigators, auditors and vendors, busy and focused at an unprecedented level.

At the top of this year’s issues, we have seen a significant increase in an entity-centric financial crime strategy, also referred to as end-to-end customer lifecycle risk management.

Indeed, financial institutions have identified that to be more accurate, risk management needs a better approach to understanding customers.

To accomplish this, data, systems, and teams’ view of a customer has to be integrated, proving to be a more effective risk-based approach as many regulators, industry experts, and organizations seek a comprehensive understanding of customer risk.

This year there was also more discussion around enterprise risk management.

When it comes to understanding risk across an organization, one of the most significant exposure points are the customers themselves.

Entity centric, and the various iterations of the 'entity-centric' approach, has become an increasingly important strategy for the regulated sector as it addressed customer risk this year.

Prediction 1: The Battle of Privacy Vs. Information Sharing Conflict

Criminals do not rely on one financial institution for all their financial needs; they diversify across multiple institutions and jurisdictions.

And the use of sham corporate vehicles is widespread because it provides criminals the anonymity they crave.

Global efforts have taken away the corporate veil of secrecy in some jurisdictions by introducing laws requiring greater transparency of corporate controllers and Ultimate Beneficial Owners (UBOs).

The AML Act in the US is looking to introduce UBO registers and the recent Economic Crime Act in the UK introduced legislation requiring overseas corporate entities which own UK property to disclose the property UBOs.

The 5^th Money Laundering Directive in the EU introduced the requirement for open, freely accessible public UBO corporate registers across all member states.

All seemed like it was going well until a recent European Court of Justice ruling debuted, which stated that the requirement of the 5^th Money Laundering Directive for open public registers of UBOs is invalid and an affront to the right to privacy of the UBOs of companies.

Since this ruling, some EU jurisdictions have restricted public access to corporate registries.

This case is a powerful example of the battle between privacy and transparency in the fight against financial crime. In some respects, this ruling takes us back years because if more people can access the data, we are more likely to join the dots.

All is not lost, though, as the court did accept that specific sectors, such as the press, are instrumental in helping to fight financial crime and these sectors and organizations should be entitled to access to the registers.

This battle of privacy versus information sharing is also played out in private information-sharing initiatives.

There is an increased desire in the industry to share information on suspicious activities, criminal entities, or individuals. Several initiatives where data is transferred or monitored collectively have been established for both KYC and transaction monitoring.

For instance, more than a decade ago many of the largest banks in the U.S. created a company with the goal of swimming customer data together to prevent fraudsters from scamming one institution – and just going across the street to the other and doing the same thing again.

They even got a blessing from the U.S. Treasury when FinCEN, without naming the company itself, issued an interpretive letter stating the institutions were protected by Patriot Act Section 314(b) as a “collection of banks.”

More recently, in 2019, several of the largest Dutch banking groups chose not to go Dutch when fighting financial crime on the heels of massive European money laundering scandals that have snaked suspicion and scrutiny to regions like Amsterdam and the Netherlands.

Financial services giants including ING Groep NV, Rabobank and ABN Amro Bank NV – all banks in recent years that have been hit by U.S. or home country financial crime compliance penalties – crafted a joint venture to share information.

In all, the institutions share data about transactions occurring across multiple banks and jurisdictions in an effort to better identify the telltale signs of illicit activity and broader ties to larger interconnected organized criminal groups.

The name of the facility is the Transaction Monitoring Netherlands (TMNL), with overarching stewardship coming from the Dutch Banking Association (NVB).

Most initiatives, however, come up against one hurdle— privacy!

Until the matter of protecting Personally Identifiable Information (PII) is resolved or there is a clear legal gateway to share information, genuine information-sharing initiatives will not get off the ground and will fall at the first hurdle.

PII is digital gold for hackers, scammers and cyber-enabled fraudsters, with these groups notching high-profile attacks against government agencies, hospitals, schools and everything in between in 2022 – a trend that shows no sign of slowing in the New Year.

Stolen PII can then be used to attack high-ranking individuals at rich companies or create zombie synthetic identities, which can be used to open hundreds or thousands of accounts, stealing millions of dollars from banks.

So countries have legitimate reasons as to why they need to protect this data.

One country where this duality of sharing information to tackle broad financial crimes can yield stunning success, but can also still face restrictions by privacy constraints, is Canada.

In recent years, Canada has showed focus, creativity and tenacity in the arena of stronger information sharing between regulators, banks and law enforcement to target some of the most insidious financial crimes of our times, including human trafficking, which became a global model to help other regions.

Spearheaded by banks including BMO, HSBC, CIBC, RBC and Scotiabank, these groups have partnered with Fintrac, the country’s financial intelligence unit, to go after money laundering, child exploitation, romance scams and other frauds through public-private partnerships (PPPs).

Even in these formalized arrangements, banks have to balance their desire to better use their data and help law enforcement with a very real fear of violating recently-strengthened privacy rules – with failures resulting in penalties of more than $100,000 or more.

As well, while it can create operational alerts with red flags for certain surging crimes, in many cases Fintrac can’t even follow up with reporting entities for more details on certain filings tied to named subjects due to constraints by the country’s privacy laws.

This conflict will be a central focus for many in 2023, especially now after the European court ruling on public and corporate registries.

The question is which will win out: will we get greater freedom to share information and, with that increased transparency, or will the right to private life and privacy overrule the desire of the financial crime community?

Prediction 2: Collective Risk Management

"Enterprise Risk” will be the word of the year in 2023, especially in understanding customer risk.

The reason: risk is not static, siloed, and certainly not exclusive to AML concerns.

There are a number of factors financial institutions weigh which can impact how risky a customer is and ultimately help to understand any potential proclivities toward engaging in financial crime.

AML risk factors are one, which include: transactional, KYC, and screening risks, but there are a host of considerations to consider to really scrutinize a customer – individual or corporate – from an “all crimes” perspective.

There is fraud risk, credit risk, and, increasingly importantly, Environmental, Social, and Governance (ESG) risks, particulary with more direct tethers to financial crime.

What would be an example of this?

For instance looking at just the E piece of that, environment, rather than just looking at a company that could be profiting from razing part of a rain forest, pull back the lens to see if it has bribed local government authorities to grease the wheels of progress – engaging in corruption. More on this later in my ESG preview.

These risks should also not sit and operate independently.

When assessing customer risk, all these factors need to be considered to understand the customer's collective risk.

Traditional enterprise risk is about more than just assessing customer risk. It is broader still and considers aspects such as liquidity, operational, strategic, financial, and hazard risk, to name a few.

In 2023 an enterprise risk approach will be taken to understand customer risk much more granularly than is achieved today.

But we also know that risk ebbs and flows, rises and recedes.

Any customer is dynamic. Over time their behavior, financials and transaction types will change, more so with corporate customers.

Some customers may invariably be criminals or turn to crime during their relationships and some customers could become victims of crime, including fraud, which is an increasing threat – even more so with cyber-enabled fraud, such as a ransomware attack and crypto-fueled payday.  

Each of these aspects of risk is an essential indicator of how financial institutions interact with the customer.

However, inside financial institutions, each risk indicator is often separate, stored on separate systems, and accessed by different teams. This results in a disjointed, inaccurate 'enterprise-wide assessment of the customer and their risk.

Regulators and bodies such as FATF call for organizations to adopt a risk-based approach to managing risk. This must be done with cohesive systems, data, or teams.

This is why I believe the next evolution of the risk-based approach will be to connect these disparate data sets and systems to contextually understand the customer's risk—combining their credit risk, ESG risk, AML risk, and fraud risk to achieve an overarching risk or trust score for the customer.

This holistic risk picture helps fuel better monitoring and detection and better revenue decisions based on how trustworthy the customer is.

This evolution will gain traction in 2023.

Globally, financial institutions are increasingly looking to converge their fraud and AML functions and systems.

The reason for this convergence?

This approach enables more robust risk management and assessment of both customers and transactions, confirming my point about the traction in the industry to move toward an enterprise view of customer risk.

Prediction 3: ESG Risk a Financial Crime Issue

This prediction touches on some of the same points I made in a few of the prior prognostications.

In essence, paint with broad strokes when analyzing what could be perceived as risky bank behavior or investment strategies – as they might just be actually linked with illicit entities and tainted funds.

In 2023, ESG will find its way even more concretely into the realm of financial crime.

What does ESG have to do with financial crime?

ESG is not just about ensuring a business has green credentials and operates carbon-neutrally.

It is more than just looking at stakeholders and whether the company is acting inclusively and paying fair wages.

ESG is about whether the business is having an adverse impact environmentally or socially, which could include clear breaches of domestic or internatlonal laws, such as illegal logging or fishing and employing an enslaved person or using child labor.

ESG issues can be committed either by the direct customer of the financial institution or by a sub-contractor, or somewhere along the supply chain.

The matters highlighted are all crimes, therefore it goes without saying that any proceeds generated after that could be construed as being the proceeds of crime.

Since this could implicate the direct customer of the financial institution, it is critical that all financial institutions take into account their ESG risk when it comes to monitoring and investigating financial crime.

Take illegal fishing, for example.

It is responsible for the destruction of marine ecosystems and lost revenues for local fishermen and is worth up to USD 23 billion in revenues for criminals.

Ostensibly, this is a classic supply chain issue, but banks play a pivotal role in financing trade deals through their relationships with the companies comprising the supply chain itself, including:

• The company itself making the product.
• The fleet getting the fish.
• The group owning the mine.
• The related domestic or foreign manufacturers.
• Importers and exporters.
• Shipping and receiving firms.
• Ocean vessels, aviation operations and the like.

Moreover, financial institutions need to know who their customers are, the nature of their customers and now increasingly, with whom their customers deal.

Failing to do this could result in the financial institution unwittingly banking a customer engaged in illegal activity and ultimately banking criminally derived funds, therefore facilitating money laundering.

Illegal fishing is one of many examples where seemingly legitimate companies can commit a predicate crime.

Some examples: Furniture companies or manufacturies, food manufacturers or agricultural customers could be directly or indirectly engaged in ecological destruction such as illegal deforestation.

Jewelers or mining companies could be directly or indirectly involved in illegal mining or the use of an enslaved person or child labor.

Logistics and shipping customers could be engaged in the transport of illicit goods, including from the illegal wildlife trade.

This is a challenge in and of itself, and we are not even talking about the chance that any of these risky or criminal ESG parties are also clearly or surreptitiously on a sanctions blacklist.

There is another area where ESG and financial crime is intricately connected, and that is when it comes to corruption.

A large part of ESG is about protecting the environment.

There is no bigger drive right now than trying to go carbon neutral. The cornerstone of carbon neutrality is the use of renewable energy.

This requires the private and public sectors to build green infrastructure.

Combine this with the vast sums of money up for grabs to construct the infrastructure in a bid to work towards the global target of carbon neutrality by 2050, and you now have the perfect breeding ground for corruption.

Especially when the International Energy Agency stated in 2021 that to achieve carbon neutrality by 2050, we need USD $5 trillion of investment globally in energy investment by 2030.

FATF is increasingly vocal on the issue of where ESG efforts can intersect in dedicated fincrime and compliance directives, recently releasing guidance on the illegal wildlife trade.

This is in addition to publications on human trafficking, illicit mining and labor exploitation.

In 2023 we will see more action where ESG and financial crime compliance are interwoven like never before – helping to understand better and manage the risks, taking one step closer to stopping financial crime.

In some cases, regulators are already mentioning ESG and AML in the same breath.

In June 2022, the OCC released its Fall Semiannual Risk Perspective, highlighting that examiners are preparing the sector for a new and rigorous review of ESG programs under the overarching rubric of “climate-related financial risk” exams – an initiative interlinked in some cases with fincrime compliance duties.

The federal regulator noted that FinCEN issued a “notice to call attention to an upward trend in environmental crimes and associated illicit financial activity. Environmental crimes have a strong association with corruption and transnational criminal organizations.”

In the view of federal examiners, "environmental crimes contribute to climate risk by threatening ecosystems, decreasing biodiversity, and increasing carbon dioxide in the atmosphere.”

Combating corruption and transnational criminal organizations are “among the priorities” FinCEN announced in the Anti-Money Laundering and Countering the Financing of Terrorism National Priorities issued in June 2021.

The widely-watched and highly anticipated AML priorities were the first concrete update to implement the U.S. Anti-Money Laundering Act (AML Act) – the most significant upgrade to the country’s fincrime framework since the 2001 U.S.A. Patriot Act.

More on the AMLA and the overarching shift from technical compliance to intelligence-infused investigations under my next section on a “Focus on Real Threats."

Prediction 4: Focus On Real Threats – the lofty and ill-defined goal of effectiveness

In a bid to better match up resources and results, 2023 will be the year when the industry increasingly targets its efforts to monitor and detect real financial crime threats and stop generic monitoring, including significant human, technological and fiscal expenditures to monitor low-risk activity.

It is no secret that many organizations suffer from high false positive rates.

What may be controversial is that many organizations put significant resources and effort into monitoring the wrong areas of their business for what is ultimately low-risk activity.

A large part of this is because historically, regulators have, through guidance, notifications and regulatory findings, encouraged or required financial institutions to monitor these areas of the business more intensively than the risk assessment maybe deems necessary.

Most of the focus is on the retail and domestic services offered by financial institutions.

The significant financial crime risk is not in any one individual retail account. The risk is often in other areas, such as capital markets, international trade and corporate/ commercial banking.

These are the areas where most money laundering occurs because it is easier to move vast sums of money under the guise of ‘legitimate’ income.

There is also a risk in retail, with particular use cases including mule accounts and activity such as human trafficking, where the victim is often forced to open an account in their name with the account usually controlled by the trafficker.

Historically, detection scenarios have often been too general to identify this specific type of activity.

It has already started, but in 2023 we will see greater focus on monitoring and detecting tangible high-risk activity.

The first will be greater attention on high-risk verticals, such as corporate banking, trade, and capital markets. These verticals have been in focus for a while.

Capital markets have been in focus for a number of years since the mirror trading activity and the thematic review released by the United Kingdom’s Financial Conduct Authority (FCA) in 2019.

In 2023 organizations will actively seek new technology solutions to overcome today's challenges in detecting suspicious activity in these verticals.

From a predicate crime perspective, there will increasingly be a demand to identify high-impact illicit acts more accurately.

High-impact crimes are already well understood, but in 2023 organizations will start to more expansively and aggressively scale the mapping of these crime typologies to their vendor-driven or bespoke monitoring solutions – potentially even tinkering with new technologies, like AI and machine learning.

The goal: to more accurately detect when an individual is potentially a victim, or a suspect is potentially involved in human trafficking or when individuals or entities are involved in wildlife trafficking.

Changing from a focus on the pomp and process of AML compliance to crafting deep, timely and relevant intelligence for law enforcement is at the heart of the AMLA.

The AMLA is an expansive package of updates to break open beneficial ownership bastions, bolster public-private information sharing, usher in a new era of innovation and focus on effectiveness – with the threat of higher penalties for violations, and serial scofflaws.

Coinciding with and underpinning the release of FinCEN’s AML priorities, the Wolfsberg Group issued a critical missive to detail in practical, tactical steps how financial institutions can actually demonstrate effectiveness.

Being “effective” is a term in recent years bandied about with much fanfare, but little in the way of bright-line, auditable boundaries.

In short, the Wolfsberg metrics of effectiveness include:

• Are you compliant with local AML laws, cognizant of global standards?
• Are you producing highly useful information to law enforcement, guided by national AML priorities?
• Do you have a reasonable compliance program that reviews internal and external threats, gaps and vulnerabilities and adjusts based on rising or receding risks and law enforcement input?

To read the full statement by Wolfsberg Group, an influential alliance of more than a dozen of the world’s largest banks, including Citi, JPMorgan, Barclays, Credit Suisse and others, click here.

This change in focus in 2023 will bring greater effectiveness in targeting and mitigating illicit activity, ensuring organizations can assign the right resources to the threats that have the most significant impact and pose the greatest financial crime risk.

Prediction 5: DNFBPs – Non-Financial Institutions and AML Risk

Designated Non-Financial Businesses and Professions (DNFBPs), such as art dealers, estate agents, notaries, lawyers, company service providers, accountants, and casinos, are businesses considered to pose a money laundering risk but are not classified as financial institutions.

These businesses pose a risk as they are gatekeepers to the financial sector. Through DNFBPs, individuals and corporates can place vast sums of money and assets into the financial system.

Most of these businesses have more direct relationships with their customers than banks. These businesses take their customers' money and place it into a bank (often in the name of the DNFBP business).

These businesses usually have a feel for their customers, their customers' history, behavior and source of wealth. In some cases, especially for higher net-worth individuals, they will have face-to-face meetings with their customers.

They will help their customers in their day-to-day lives, such as helping deal with assets, businesses, tax affairs, and legal matters.

If anyone is going to understand if an individual is 'legitimate' or 'illegitimate,' it will be these businesses.

For good or ill, arguably, most DNFBPs have more information on the underlying customers and their activity than the banks, so they should be more likely to spot suspicious activity sooner.

It is difficult for financial institutions to spot individual suspicious transactions, especially if all they see is the economic movements of the DNFBP business account and not the underlying individual/ business to which the transactions relate.

A large number of countries have introduced regulations to regulate DNFBPs, such as the Money Laundering Regulations in the UK.

Each industry is supervised by its regulatory body, such as the Solicitors Regulation Authority or the Chartered Institute of Management Accountants. But there is an inherent weakness in a dynamic where a “self-regulatory body” essentially oversees itself.

This creates the risk of inconsistent application, enforcement or oversight of the regulations.

Lax beneficial ownership requirements have been a magnet for criminals of all stripes for decades and armies of gatekeepers, including attorneys, professional services firms and corporate formation agencies, have in some cases used their knowledge to gaps to shield and insulate a corpulent cabal.

Shell companies have been linked to organized criminal money laundering and drug trafficking syndicates, massive frauds, grand corruption, tax evasion and terror finance.

Moreover, if one country gets tough on ownership standards, these groups just jump to another jurisdiction with weaker disclosure requirements.

The meaning: All countries need to regulate DNFBPs.

But that naturaly begs the question: How can we ensure compliance with regulations and start to fight money laundering in this sector if different bodies regulate businesses differently and if these businesses are even required to report suspicious activity in the first place?

FATF clearly state in their 40 recommendations that DNFBP's should conform and comply with AML regulations and best practice. Recommendations 11, 12, 15, and 17 to 21 apply to DNFBPs with a specific section for DNFBPs in recommendations 22 and 23.

Some countries, such as Australia and US, do not regulate all DNFBP's.

Recently the US senate blocked the Enablers Act, which would have required many DNFBP's to conduct AML checks on their customers.

There continues to be much focus on DNFBPs. They are in the regulatory crosshairs and are in the spotlight of financial crime professionals.

To win the fight against financial crime, we all need to work together to identify, detect and report suspicious activity. We must do this with the support and cooperation of DNFBPs.

In 2023, there will be increased pressure to align regulation for DNFBPs, and there will be a strengthening of enforcement on DNFBPs with more significant fines and tremendous pressure on those organizations failing to comply or facilitating illicit activity through their businesses.

Leveraging greater use of AI and machine learning in the year ahead, including network analytics, will provide continued advancements in transaction monitoring.

This is something clearly on the minds of regulators and was spelled out in a seminal Dec. 2018 joint statement from regulators, including the U.S. Treasury’s Office of the Comptroller of the Currency (OCC), cajoling – not ordering – bank compliance teams to tinker with technology to improve effectiveness, results and maximize resources.

Where can these technologies help – and in fact are already helping vendors and the banks they serve – related to fincrime compliance duties?

Some examples include:

• suspicious activity detection
• data segmentation
• model tuning
• transaction alert accuracy
• predictive scoring
• advanced anomaly detection
• federating learning
• collective intelligence
• consortium-based analytics – which improves the detection race across the industry as a whole by involving multiple institutions.

This will help organizations identify more threats more accurately than ever before and will include a greater focus on perpetual KYC.

As a contextual point, experts, analysts and watchdog groups have bemoaned the fact that the billions upon billions of dollars spent by banks annually on AML compliance to uncover the estimated more than $1 trillion laundered annually results in less than one percent of sullied funds actually being seized, frozen and forfeited.

That is a key reason why examiners are embracing institutions choosing to break paradigms to improve immediate outcomes.

Let’s hope these predictions advance and see reality – ultimately making it harder for criminals to hide in the shadows and our job of stopping the criminals a lot more productive.

About the author

Adam McLaughlin is the Global Head of anti-money laundering (AML) Strategy and an AML subject matter expert (SME) at NICE Actimize.

Before McLaughlin’s roughly six years in financial crime compliance, he spent 10 years as a Police Detective in the UK, with the last three years managing a Financial Crime investigation team in the City of London Police, the UK’s national lead force for Economic Crime.

He was also an operational member of the Joint Money Laundering Intelligence Taskforce (JMLIT) in the UK and on the Money Laundering through Capital Markets experts working group.