The onion and what does it have in common with money laundering?
Well nothing really. However an onion has been used as a metaphor to describe the layers of security/encryption in the TOR network, where the rise of dark markets (hidden services) have introduced new modus operandi for illicit financial flows. It can also be used to describe the “layering” part of a money laundering scheme or to describe a really introvert person. If I would peel back the layers of an onion I’d like to use it to describe the layers of complexity when looking at the modern financial landscape.
A brief backstory
We have seen/are in the midst of a financial shift where the traditional financial institutions business models are being challenged.
The main single enabler behind the changing landscape is the Internet. Not only did the Internet bring democratization of information, it also enabled new business models to flourish and challenge very traditional entities like the banking sector. Focusing on the consumers and the freedom of choice, new payments methods came to life in the mid/late 1990s. These payment methods also gained major traction from other business segments that went “online”, for example online gambling, entertainment, the adult industry and many more. The traditional financial institutions, generally, never really caught up with the pace of innovation or have had the ability to reorganize its business models and organizational structures.
This and the rise of fin-techs with supporting legislations like PSD2 are leading up to an ever more decentralized and fragmented financial landscape, both for consumers, businesses and financial companies. This is an interesting development where the main winners are the customers of the financial institutes. In my opinion I see the strong benefits with the freedom of choice when conducting my own or my companies business, but it also brings huge challenges when we need to stop bad actors from misusing the financial systems.
Decentralization and fragmentation brings obfuscation. If you are responsible for knowing your customer, knowing the reason for his/hers behaviour, the state of interconnectedness and obfuscation needs to be prioritized as a risk factor.
What I mean by obfuscation is the lack of information. If you have ever have had a night out with your friends, you crash in your bed and suddenly get a call in the middle of the night from your boss demanding you to read an email.. right now. That haze and squinting you do when looking at an overly bright mobile screen trying to figure out how to open your email client… that is also obfuscation.
So a scenario… Customer at bank A can freely choose from a library of service providers X, Y and Z to initiate a payment on the customers behalf, which also may be instant, to another 3rd party provider who in turn forwards it to a final destination. All this while the main responsibility of controlling the legitimacy of the transaction lies at bank A. 3rd party providers that the customer choose to use piggy back on bank As controls for knowing their customer and the intention of the payment. So what happens when the customer account at bank A. has been opened with a fake ID or belongs to a money mule, how will you track a payment to a final receiver when it passes trough N amount of proxies?
The responsibility of applying controls on customers and transactions is a legal requirement on every regulated party involved in the transaction. Even if traditional financial institutions like banks have more experience and more financial muscle to apply controls to tackle misuse, 3rd parties also need to comply with understanding and controlling the risks involved.
Audits from financial authorities, clearer and stricter requirements are likely to increase towards 3rd party providers (even more so in 5AMLD). This will result in a cost increase, both monetary and knowledge wise for especially fin-techs that are piggy backing on exiting controls at traditional financial institutions.
If you want to increase your capability to match this changing threat landscape you need to adapt. Changing risk scoring of customers, adjusting levels in transaction monitoring systems, check box questions to customers may once have been enough to raise the protection levels a bit but these methods are failing more rapidly if you don’t start to evolve with your surroundings.
You need to gain insight!
First task should always be focused on orientation. What is the lay of the land. In this case, what modus operandi is used when bad actors are misusing my company to exploit the financial system. Here threat intelligence should be regarded as a main staple in order for you to construct your controls. Especially if you don’t have an unlimited budget to spend on defence. Knowing where to put your bag of money on controls is one of the best investments you will make.
Second, measure everything… I mean everything. Create a knowledge base on your customer behaviour types. With “prior knowledge” you are in a good position to analyse if a specific customer or segment are behaving in or out of cope from the rest of your customers. It will also be useful when looking into if your product catalogue or other business segments have an unusual exposure rate to bad actors. It may also be useful to identify new behavioural types that does not correspond to anything you have in your baselines. The recent years progress within automation, machine learning, neural networks etc. should absolutely be seen as a toolbox to use in conjunction with good threat intelligence.
If you are worried about if the information collection is not in par with for example GDPR don’t stress it. Just make sure that you use it for your intention to comply with the anti-money laundering directives, keep the information safe and restricted (obfuscate it if it makes you feel better). Inform the customer, it may actually have a proactive result. And don’t hand over the information to marketing departments or use it for churn predictions.
How to move on from here
Rob Wainwright, the former director at Europol, stated that “we are loosing the fight against financial crime”. In my view there is not a a single event (except for maybe the Internet) that can be highlighted as a root cause to this growing challenge. The overall problem of financial crime should be regarded as a wicked problem… and wicked problems needs wicked solutions.
In upcoming chapters I will reflect a bit on if criminals lie, the challenges that comes with building proactive/reactive measures and benefits/pit falls with new technologies.
Have an amazing day and embrace discomfort.
JoLa – heading up the Acuminor Lab
See you at ACAMS – Anti-Financial Crime Symposium – Nordics?