OFSI Annual Review – 2022-2023

Sneaking in at the end of last year, OFSI (Office of Financial Sanctions Implementation HM Treasury) published their annual review. Or at least, the annual review running to March 2023, so a document that is some 9 months in the making!

Headlines, assuming that you can call them headlines given that the document is essentially out-of-date the moment that it was published, centred on Russian sanctions relating to the war in Ukraine, new cyber designations, and the growth of OFSI staff by 96 FTE. But no headline grabbing enforcement numbers. Between April 2022 and March 2023, OFSI issued just two monetary penalties with a combined value of £45,000.

As of March 2023 there were 3883 designations across 35 regimes, this compares to 3121 at March 2022, close to a 25% growth.

£21.6 billion of funds were reported to OFSI as frozen as of September 2022, an increase of £9.2 billion since 2021. In year reporting between February 2022 and October 2023 presents the impact of Russian sanctions with £22.7 billion of assets frozen.

It will be interesting to see the final impacts in the 2023-2024 report.

FCA Enforcement Trends – 2 Takeaways

At the end of July the FCA published it’s annual report and latest operating metrics which includes details on enforcement trends.

Two quick take-aways:

1. Financial Penalties Have Reduced

Total value and size of fines has dropped from those reported in period 2021/22. The value is down from £313m in 2021/222 to £199m in 2022/23 with numbers increased from 11 to 24. The penalties were dominated by the £107.7m for Santander UK, announced in December 2022, for repeated anti-money laundering failures.

2. Investigations Are Taking Longer

The average time to complete investigations is now 41 months. Increasing from 34 months in 2021/22 and just 25 months in 2020/21. Regulatory and criminal investigations rates have slowed considerably.

New PSR rules will change the shape of fraud and AML teams

The new PSR rules, announced this week, radically change the liability landscape for firms and will fundamentally change the way they need to structure their fraud and AML compliance processes.

With some simplification, let me explain this statement …

There’s always two sides to every transaction – a sender and a receiver.

Fraud prevention

Fraud prevention systems have, in the main, been built to focus on transactions that are sent. They’ve been built to mitigate the liability of potential losses and to protect customer account holders – the people or companies sending the transactions.

Fraud prevention systems are the ‘hares’ of the compliance world. They run in realtime, interdicting payments, to stop losses before the transaction leaves the sending institution.

Fraud prevention systems don’t, as a rule, consider or focus in detail on received payments. This is not because the institutions don’t believe that their own accounts may be risky , but because the liability for any loss on a payment has always historically sat very squarely with the payment sender.

Anti-Money Laundering

So what about received funds? Typically these are monitored by firms from an AML “proceeds of crime” perspective in order to detect suspicious activity as part of the ins and outs of account flows. These systems also look at sent transactions as well.

AML monitoring processes are the “tortoises” of the financial crime compliance world. They are typically slow and batch based. They look at longer term patterns of account and customer activity to identify money laundering risks. They don’t interdict or stop transactions. Their raison d’etre is to report suspicious activity rather than to prevent it from happening.

So what’s changed?

In a bid to tackle the rising rate of Advance Push Payment (APP) fraud, the Payment Systems Regulator (PSR) announced last week new rules for Faster Payments will mean that both sending and receiving firms are incentivised to act to take action on fraud. Both will become liable for the losses and will split the costs of reimbursement 50:50. 

Firms will need to adapt their fraud controls to look at both sent and received payments. This change will drive the continued convergence of Fraud and AML (FRAML!), both from technology and operational perspectives. If you are monitoring both inbound and outbound transactions in realtime to prevent fraud, why not do the same for AML? Why have two systems that are looking at the same data if they can be rationalised into one? Why have two teams when one combined approach could offer the best of both worlds?

To finish …

The new PSR rules set a new regulatory direction, firms hold a responsibility to monitor all transactions and customer account activity from both an AML proceeds of crime and a fraud prevention perspective. The 50:50 reimbursement split may be seen by some as controversial but will lead to greater levels of cooperation within and between firms that will help drive new models for fraud and AML.

Compliance will be focus for Generative AI

According to a new report by Accenture, banking and insurance are the two sectors where Generative AI will have the greatest impact and have the highest potential for automation.

They also identify “Office and Administrative Support” and “Business and Financial Operations” as two job of the top 4 job categories that are set for transformation. Job categories most associated with financial crime compliance.

Institutions have seen a rise in compliance costs of 19% between 2020 and 2022, according to LexisNexis, and the UK now spends a staggering £34.2 billion fighting financial crime. 60.6% of these costs are related to employees and training. Two areas where Generative AI could provide significant cost reductions.

No surprise then that Accenture suggests that “generative AI will support enterprise governance and information security, protecting against fraud, improving regulatory compliance, and proactively identifying risk by drawing cross-domain connections and inferences both within and outside the organization”.

How much are your AML controls worth?

Always an interesting question to ask given that appropriate anti-money laundering controls are requirement to hold and retain a banking license, or any other business license to operate in a regulated sector.

This week the answer is $13.4bn or perhaps $200m depending on whether you measure opportunity or cost.

This week TD Bank pulled out of a $13.4bn acquisition of First Horizon. Preventing the Canadian bank from becoming the sixth largest lender in the US and costing the TD $200m in a cash payment to First Horizon as a penalty to not complete the deal.

In response to the news, First Horizon came off even worse with shares plunging to a new low and a market capitalisation falling to less than $6bn.

The deal was ultimately scuppered following multiple delays following the Office of the Comptroller of the Currency and the Federal Reserve raising concerns over TD Bank’s handling of unusual transactions and its timeliness in reporting suspicious activity to them.

Other than a recent small value OFAC fine in 2021 ($115k) , TD has brushed more with regulators on themes relating to investor and consumer protection.

Either US regulators were being protective of their domestic market or perhaps there is yet more to unravel on this story

UK Fraud Strategy

Or should that be counter fraud strategy …

On 3 May the UK government published its new “Fraud Strategy: stopping scams and protecting the public” and an accompanying “what it means to you” overview.

Not quite the “fundamental shift” in approach that is mentioned in the introduction, but there are some useful steps forward. Most of the press has focussed on the clampdown on cold calling and SMS scams that have led to a rise in authorised push payment (APP) fraud in the UK, Acton Fraud will be replaced and there will be a new 400 person National Fraud Squad (NFS) created.

A couple of items of more interest that have gained less attention.

Firstly, in the age of instant payments the new UK strategy seeks to “help banks slow down suspicious payments”.

And secondly, the Economic Crime and Corporate Transparency (ECCT) Bill will help in providing safe harbour for those that share data to address economic crime:

Expect to see a 10% reduction from 2019 pre-Covid levels by the end of this Parliament!

Generative AI / ChatGPT – Knowledge vs Intelligence

There’s been so much recent discussion on new generative AI technologies and ChatGPT. Are we all out of a job? Well ChatGPT is fantastic technology. It can probably write a better-constructed blog post than this one. But when we talk about these new “artificial intelligence” algorithms we need to do more to differentiate “knowledge” from “intelligence“.

ChatGPT and other generative AI are a fantastic way to summarise and re-package human knowledge – whether that’s providing textual responses to questions or re-packaging art to generate new creations. What they’re not doing is anything that’s actually intelligent – we get lost in the smoke and mirrors and just think they are.

In the 90’s everyone thought that Deep Blue was a marvel – a computer that was intelligent enough to play chess. It wasn’t, it was just capable of incredibly fast, for the time, computation and search.

ChatGPT is the next generation of technology and algorithms, and a huge leap forward from the chess game on my iPhone that still beats me! But it’s not intelligent! It just reads faster, remembers more, and collates better than any of us can.

Worth considering though is that these technologies will change the way we work.

In the future, should you be in the knowledge economy or the intelligence business?

The knowledge economy just provides these systems with more data to learn against and improve. If you drive an autonomous car, you’re just providing the car with more data that it can train against and get better at being autonomous. If you contribute to or correct a Wikipedia article or write a blog post (that has any real value) then the treasury of information that you are creating will make ChatGPT and other AI algorithms even better.

Where do we still win? Cognitive abilities and intelligence such as problem-solving, critical thinking, and creativity.

I asked ChatGPT whether in the future it will be better to have a job that creates knowledge or requires intelligence. Its answer was very diplomatic, although I thought it missed the point a bit!

ChatGPT – knowledge or intelligence?

OFAC continue their focus on corporates

OFAC have just announced a $5 million settlement agreement with a Hong Kong and China based firm, Sojitz (Hong Kong) Limited. The fine was for US dollar cross-border transactions relating to trade with Iran for Iranian-origin high density polyethylene resin (HDPE) purchased in Thailand. This continues the general trend of more focus and fines for sanctions violations by corporates.

The settlement agreement provides details of employees hiding and removing information from their compliance team and going ahead with payments even when informed not to.


Takeaways are the obvious:

  • Employees (at all levels) need to be open, honest and transparent about country of origin information and not remove this information or obscure it from compliance teams
  • If ‘errors’ happen then self-disclosure is always the right course of action. Total value of USD transactions was $75 million so the fine could have been a lot more had they not self-disclosed (up to $150 million given an egregious violation).

And perhaps most obvious, if you are to trade in goods with Iranian provenance, don’t pay in US dollars!

U.S. Department of Treasury Sanctions Review

On Monday (18 October 2021) the U.S. Department of Treasury released its 2021 Sanctions Review.
The report presents some welcome directions: enhanced multilateral coordination, avoidance of unintended consequences, clarity and reversibility, and the need to modernize. 
But it also reminds us why sanctions implementation continues to be an enormous industry pain point, slowing customer on-boarding, creating friction in the payment chain, and creating a compelling need for new technologies and approaches.
A 933% increase in OFAC sanctions designations in the last 20 years!

Blockchain is so 2017!

Stimulated by yet another news article about blockchain and distributed ledgers, I took a look at google trends to see how “blockchain”, and “bitcoin” have been doing in terms of search ranking.

A long time ago, I attended a number of conferences on “XML”. It was, at the time the technology that was set to change the world at the peak of the technology hype cycle and inflated expectations.. Arguments aside as to whether a mark-up language is a technology, interest in it has subsided as it has become embedded in applications, commonly applied and moved into it’s plateau of productivity.

Technology Hype Cycle

Google trends allows you assess search levels against a word or phrase and therefore the level of interest in an area. If people are searching for it there’s an interest, if they are not they’re not!

The worldwide trend for search on “XML” gives this plot. The level of interest declining continuously since late 2014 – that’s the earliest google will provide data on. Inevitably, you don’t see “XML” as a lead feature in any product brochure – “Now with new XML”.

Google Trends – XML

So how’s blockchain and bitcoin performing.

The plot below shows the level of worldwide searchon “blockchain”, a two key peaks in December 2017 and also February 2021.

Google Trends – blockchain

So, how do I read this?

It’s good news for blockchain as a technology set. The hype-cycle in 2017 created a peak of inflated expectations, we’ve got through the trough of disillusionment, and reached the slope of enlightenment and are now moving into the plateau of productivity. Like many technologies before it, blockchain has survived and is now here to stay.

Time to stop talking and start doing. We’ll see the “now with new extra blockchain” in product literature for a few more years, but then blissful quiet will follow. The technology will become invisibly embedded, and no one will talk about it, just yet another enabler – the real story focussed back on the applications and the real benefits that they can bring.

But what about bitcoin, well the plot is similar, December 2017 peak and some stochato behaviour between February to May this year. But then given the level of celebrity interest, I think everyone is well aware that the hype cycle ended a long time ago!

Google Trends – bitcoin