IP geo-blocking and sanctions compliance

Yesterday, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement agreement with NewTek for apparent sanctions violations relating to Iran. NewTek is a small US company that develops and supplies live production and 3D animation hardware and software systems.

Corporates are coming increasingly under the regulatory radar and need to think more seriously about their approaches to compliance. The settlement agreement shows that NewTek was naive in its approach to sanctions compliance and as such this acts as yet another reminder to firms.

More interesting though are the remedial actions taken by NewTek and were considered by OFAC as mitigating factors. Following the apparent violations the company:

  • Established export controls and sanctions compliance policies and procedures;
  • Hired a Director of Compliance;
  • Provided compliance training to employees in sales, marketing, shipping, service, and compliance personnel;
  • Obtained formal export classifications from the U.S. Department of Commerce confirming that New Tek’s products are properly designated EAR99 for export control purposes;
  • Implemented bulk name screening of its product registrants and current and pending distributors against the SDN List;
  • Implemented geo-IP blocking measures to prevent individuals located in Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine from downloading or registering NewTek products;

The last of these is the most interesting.

If you are a software company, operating in the US or with US affiliation or ownership, what do you do today to stop your products from being downloaded by individuals located in sanctioned countries?

And since software is just bits and bytes, no different from web pages, documents, pictures or NFTs, what does this mean for other types of virtual assets?

5 RegTechs to Watch

I was asked today which companies I think have the opportunity to change the way that we think about RegTech. Here’s my list and the reasons why.

There are some great larger organizations, but I’ve deliberately focussed on less well-known or smaller players. And I’ve also tried to pick those that are doing something quite different or operating in an area that is on the cusp of change.

In no particular order:

Neterium : Sanctions Screening

Fircosoft (LexisNexis Accuity) remains the dominant player in transaction screening, but otherwise, the sanctions screening market is extremely fragmented both at the enterprise level (BAE, Actimize etc), platform market (Temenos, FiServ), and with many small vendors (FinScan, ComplyAdvantage). Even though they are all building and promoting their own engines, the market has remained pretty much unchallenged in terms of technology and approach for the last 10 years. But the problem space has changed significantly.

Historically, customer onboarding didn’t require a high precision filter as processes were very manual. With automated workflows and customer experience the new priority, this is no longer the case. In the transaction space investment in sanctions was seen as a sunk cost by treasury teams and not something they were keen to change or improve – it’s now a cost that banks want to shift and the friction that filters create is unacceptable, again impacts customer experience, and is a principle reason why payments are so slow.

There’s an opportunity for the right product to disrupt the space and the Neterium team has the credibility of having done it before. If they don’t get there, then someone else will. If it is not Neterium then I would look to APAC or UAE given the additional challenges that those geographies have on character sets.

HelloFlow: KYC On-Boarding

A tiny startup that is taking a very different customer and application-centric approach to the customer onboarding process. Given their size, they may struggle to get a foothold in the market, but the demo on their website offers a glimpse of how onboarding flows can be easily automated. This could accelerate onboarding for fintech challengers, and ease adoption and adaption pains as they grow into new markets and create new products. More radically, the technology could allow big banks to catch up with the challengers in terms of agility and customer experience.

Tookitaki: AML Transaction Monitoring

So fundamentally AML transaction monitoring is really in need of a reboot, and I’ve not seen anyone yet that really has the vision to make a real change in this area. Today the trend is to improve, rather than replace the underlying transaction monitoring systems, and there are two ways people are working to do this.

The first approach is to streamline investigations through robotic process automation (RPA) and data consolidation, ensuring the analyst has a complete, informed, and re-prioritized view of risk. There are many vendors doing flavors of this: Blue Prism, DataRobot, Arachnys, Quantexa – all with their own merits.

The second is to optimize detection performance.

Tookitaki is in this second group, competing with the consultants who see it as a process problem (PWC, Deloitte etc), the toolkit vendors that see it as an artificial intelligence challenge (C3AI, SAS), and others that may be more focussed on sanctions than AML (e.g. Silent 8).

Tookitaki seems to be ahead in terms of its approach, analyst presence, and overall potential. They also have stronger regulatory ties which give them advantages given the sensitivity of this space.

Ravelin: Fraud Prevention

With a move to online, the fraud problem becomes a burden carried by the merchants and not by the banks. Ravelin was one of the first to offer API integration at merchant checkout that both addresses the merchant fraud problem and enhances the customer experience.

Compared to the fraud models that are applied by the banks, who only see transaction value, place, and time info, Ravelin can monitor the customer activity in more detail. They can understand purchase history, consider the modes of fraud associated with particular goods and services, scan IP information, and even consider customer dwell times.

Given that the old card issuer / merchant acquirer models are under threat from EPI in Europe and direct-to-account payment initiatives are being pushed by everyone (even the card schemes!), it would seem that there’s an opportunity in this area and those that offer easy integration and a complete holistic view of risk will win out.

Apiax: Regulation

The bridge between regulation and what gets implemented at an institutional level is a difficult one to build and has historically been filled by a combination of specialist advice, from big consultancies, legal firms, or specialist consultants and online news and training services such as those offered by Thomson Reuters, LexisNexis, and ACAMS. Consultants are engaged to build the compliance processes at your organization to align with regulations and the news services keep you up-to-date on changes.

The challenge with these approaches is that they do not make the mapping from regulation to implementation easy. And also don’t future proof an organization as regulatory requirements change, new products are introduced, or business shifts to new geographies.

Apiax is trying to become the new bridge. Joining regulation, to rules, to implementation. In theory, their approach could allow a FinTech to set up shop and be compliant with regulation without ever having to have engaged with lawyers or employed domain specialists to guide their implementations. Although this would probably not be viable in practice, many startups and even established institutions could accelerate time to market with this sort of approach.

Final Thoughts

I continue to be excited and inspired by the rate of change in the RegTech space. There are numerous other companies that I know of that could easily have made the above list, and probably even more that I’ve yet to encounter.

The above represents my own opinions, so please take it at face value.

Finally, if you want to have a conversation on any of this please get in touch.

Elon Musk’s Masterplan Unveiled

So, after a long week and a quiet August, time for a light-hearted article.

I’ve been listening to “Elon Musk: The Evening Rocket”, a five-episode series of programmes on BBC Radio 4. Narrated by Jill Lepore, the programme “untangles the strange sci-fi roots of Silicon Valley’s extreme capitalism  – with its extravagant, existential and extra-terrestrial plans to save humanity”. The protagonist, of course, being Elon Musk.

It is difficult to avoid Elon Musk – founder of Space-X and The Boring Company, CEO of Tesla, and a proponent of cryptocurrencies bitcoin and dogecoin. With close to 60 million followers on Twitter, he is a character built in Trump-era America, both in terms of his outspoken public profile, attitude, wealth, and approach to capitalism. He has a mantra that every problem can be solved with technology, enjoys comparisons to Ironman’s Tony Stark, even cameoing in the movie, and plays with references to sci-fi such as The Hitchhikers’ Guide.

Anyway, onto the real article.

Elon Musk wants to be a sci-fi superhero, but so do I!

Thanks to the BBC, I now know his master plan and I’m already ahead of the game.

Elon’s master plan was mapped out for him in a series of sci-fi books, first published in 1910, that follow the adventures of a fictional inventor genius “Tom Swift” ( and also his son Tom Jr). Swift by name and swift by nature (let’s not go there!). Book by book they lay out Musk’s inventions, passions, and directions!

In book 5, “Tom Swift and His Electric Runabout“, published 1910, Tom creates an electric sports car, with revolutionary new battery technology, a top speed of 100 mph, and a range of 400 miles (on a single charge!). The inspiration for Tesla?

In book 7, “Tom Swift Among the Diamond Makers, published 1911, Tom, doesn’t invent but, discovers a machine that turns energy into wealth. In this case, lightning into diamonds, but parallels to wealth creation through energy-consuming bitcoin mining are not lost! A fascination for cryptocurrency?

In book 19, “Tom Swift and His Big Tunnel“, published 1916, Tom helps contractors blast a tunnel through a mountain and connect two isolated rail lines. The Boring Company?

And of course “Tom Swift in the Race to the Moon“, “Tom Swift and His Outpost in Space“, “Tom Swift and His Space Solartron“, and “Tom Swift and the Cosmic Astronauts” all provide inspiration for SpaceX!

So the great news is that there are still some inventions that we have yet to see from Musk. His Air Glider, Wizard Camera, Great Searchlight, and many others must be in the pipeline or ready to be announced.

And then there are the ones that got away. Someone getting to the Taser first. “Tom Swift and His Sky Racer” as the inspiration for the Ansari X Prize (although Musk now supports the X Prize Foundation). And why Musk hates Skype and Zoom as he failed to get in early enough on “Tom Swift and His Photo Telephone“.

Stepping carefully away from the idea that “Tom Swift and the Visitor from Planet X” has anything to do with Grimes (I love those early albums), I think it’s obvious that Musk’s master plan is deep-rooted in these books.

So finally, how do I get ahead? Well, it’s easy, I just need to read ahead! Telejector done! Now I just need to dodge the Alien Probe, and then onto the Microrobots, the Robot Olympics, and build that Space Hotel!

Elon Musk you have met your match!

Cryptocurrency – the best tool for money-launderers

Over the last decade there have been plenty of news stories reflecting the narrative that cryptocurrency is the criminals best-friend. From online drug trafficking at the silk road marketplace, to billions being laundered through bitcoin, to cryptocurrency being the payment form of choice to enable and facilitate ransomware.

The narrative though is changing. Chainanalysis, a blockchain analysis, in their 2021 report suggest that the criminal share of activity in cryptocurrency is declining rapidly – from 2.1% in 2019 to 0.34% in 2020. With some exceptions, increasing regulation of the area and the inherent traceability of most cryptocurrencies means that they could quickly become law enforcement’s best-friend.

A pile of bitcoin

Today, 13 July, in the UK the police announced a seizure of £180m of bitcoin as part of a money laundering investigation, with this seizure hot on the heals of a confiscation in June.

To put this into context, in its annual threat assessment the NCA reported £172 million denied to suspected criminals between April 2019 and March 2020 as a result of defence against money laundering requests. Or the reported £1.6bn of criminal assets recovered between April 2010 and March 2018 – that’s around £200m per year.

So perhaps cryptocurrency really is the best tool for money launderers – to get caught.

RegTech disconnect between vendors and FIs

On 29 June 2021, the EBA released a new report (EBA Analysis of RegTech in the EU Financial Sector) presenting its analysis of the RegTech in the financial sector. The report presents a number of conclusions that include the need to address knowledge gaps on RegTech amongst regulators, support the harmonization of supervisory treatment and regulations relating to RegTech, and continued encouragement of regulatory sandboxes.

The report has good news for RegTech providers with satisfaction levels for solutions high and IT spend by FIs on the rise for their solutions (increasing at 75% of respondents, remaining stable with 19%, and decreasing at only 6% of respondents).

Presenting results from the perspective of both financial institutions (FIs) and also RegTech providers, the report highlights differences in experiences. It is these differences that are the most interesting and lead to the following observations.

1. RegTechs need to be more sophisticated with product messaging

It is clear from the report that FI requirements and expectation for RegTech has matured. They want to see technology benefits from enhanced risk management, better monitoring and sampling capabilities, and reduced human error. This contrasts with dated messaging from RegTech providers that quote benefits as efficiency and effectiveness and responding to regulatory change.

2. RegTechs need to align offerings to market need

The report highlights the misalignment between where FIs are using RegTech solutions, where they have experience of those solutions, and the proportion of offerings from providers. This shows that AML/ CFT, ICT Security, and Credit Worthiness Assessment are underserved and could present opportunities for RegTech providers.

The large classification of many RegTech providers in the “Other” category (and based on a review of the listing of these categories from the report annex) suggests the need for better market alignment by them. This is especially true as RegTech providers highlight the lack of FI understanding of RegTech solutions as a barrier to entry.

Every RegTech provider will claim the uniqueness of their solutions, but if these solutions don’t meet the expectations of the market place they will be difficult to position and sell and highly unlikely to be successful.

3. Greatest competitor for RegTechs may be internal builds

The overall satisfaction levels for RegTech solutions are high but FIs only just prefer external RegTech solutions (75% overall satisfaction) to those built in-house (70%).

Good news for RegTech based cloud offerings, as Software‐as‐a‐Service (SaaS) solutions had the highest satisfaction level of 83%.

4. Regulation is not the real barrier for RegTechs

90% of RegTech providers consider that the lack of regulatory/supervisory guidance and support as an obstacle to their solutions across different countries. This same view is not held by FIs.

5. RegTechs need to be realistic on deployment times

The report highlights a discrepancy between deployment time expectations. 66% of RegTechs claim deployment times of less than 3 months but the report suggests a 12-18 month deployment cycle is experienced for the majority of solutions by FIs. Although such extended project periods may be due to a lack of technical readiness on behalf of the FIs, RegTech providers should do a better job of setting expectations.

If you’ve found this analysis interesting. Please reach out and I would be very happy to discuss the state of the RegTech market with you.

Money laundering deadline approaching …

Today, 23 June 2021, the new polymer £50 note will enter circulation, and the Bank of England have announced that 30 September 2022 will be the last day you can use Bank of England paper £20 and £50 notes.

So if you have £5 million of illicit gains stuffed under your mattress then you probably need to get your skates on and start laundering!

Two obvious questions. First, as we transition to digital payments is this the right time to be sustaining the life of a high-value note, more favoured by money launderers than legitimate citizens? Second, as was done in the wake of the Northern Bank robbery, why haven’t central banks used the regular re-issuance of notes as part of a strategy to make crime less profitable? Perhaps, an intelligent feature required as part of the the Bank of England’s Central Bank Digital Currency (CBDC) strategy?

Precision, effectiveness, and the compliance dilemma!

Attending the FinCrime World Forum (virtually) today and listening in to one of the panel sessions, I was reminded how often people confuse system precision with system effectiveness. The confusion is made worse in the world of anti-money laundering (AML) and compliance as the industry lacks a reliable way to measure the true effectiveness of systems.

Precision: Precision is a measurement of how efficient a system is. In the world of compliance, precision is usually termed the false positive rate of a system. In simple terms, this is measured as follows:

False Positive Rate = Bad Actor Alerts / Total Alerts
False Positive Rate = True Positives / (True Positives + False Positives)

As an example, if my bank’s AML solution generates 1000 alerts a month in total and if operational teams find 100 alerts related to bad actors (true positives) and these are escalated for reporting or further investigation then the false positive rate of this system would be 100/1000 or 10%. The system’s precision is 10% as it gets the right answer (finds a true positive) on average once for every ten alerts generated (1 in 10).

Improving precision: This, in theory, is easy! Remove the unwanted alerts generated against legitimate customers (the erroneous false positives) and maintain the same number of alerts generated against the bad guys (true positives). Many vendors are now offering artificial intelligence and machine learning methods that attempt to do this.

In the example, if we can reduce the total alerts generated each month to 500, but still capture the same 100 alerts on the bad guys, then the system precision becomes 1 in 5 or 20%. Great news, the precision of the system has improved!

The system is now more precise, investigations can be performed more efficiently as there are fewer alerts to review, but the improved precision has done nothing to change the effectiveness of the system. Before optimization, the system generated 100 alerts against bad actors and after optimization, it still generates 100 alerts against these same characters and so the system effectiveness is unchanged. The system is more precise but no more effective.

A subtlety, and an error I have seen a number of times at institutions that should have known better, is that improving precision can often make effectiveness worse!

Improved precision can mean lower effectiveness: A naive team of data scientists might run an algorithm that reduces the alert rate to 250 alerts each month but now catches only 75 of the bad actor alerts (true positives). The precision is now 75/250 or 30%, which means even more efficiency and potential cost savings but this comes at a penalty in that the system is now less effective. There are now only 75 true positives alerts detected and the system is missing 25 other true positive, bad actor, alerts that it would previously have detected. So be careful!

Now that we’ve discussed how system precision can be measured and what it means for efficiency and false-positive rates, we can turn to the more difficult issue of measuring effectiveness? Now, this is where it gets tricky!

Effectiveness: System effectiveness is a measure of the total number of accurate bad actor alerts (true positives) that are generated by a system as a ratio of the complete set of bad actor alerts that should have been detected. The formula can be expressed as:

Effectiveness = Bad Actor Alerts / All Bad Actor Alerts
Effectiveness = True Positives / (True Positives + False Negatives)

Here’s where we run into the big issue, the one that is at the crux of all compliance debates. People talk endlessly about the need to measure system effectiveness but to know how effective a system is we also need to know how many bad actors there are operating at our bank so that we can see how many we need to detect! There is a tautology here, if we knew who these bad actors were we would not need to detect them! It is only once we know the complete number of bad actors that we can actually assess whether our AML system is 100% or 0.01% effective.

Returning to our example, if we find 100 bad actor alerts each month and there are only 100 bad actors active at our institution then our system could be 100% effective. But if there are millions of bad actors abusing the institution our effectiveness rate could only be 0.01%.

“Without knowing the unknown it is impossible to accurately assess what we do know.”

The Compliance Officer’s Dilemma

Compliance officer’s dilemma: This leads us to the compliance officer’s dilemma which, to paraphrase Donald Rumsfeld, is that without knowing the unknown we cannot accurately assess what we do know. Or to put it another way, without knowing about all the bad actor cases that our systems should have detected it is impossible to get an accurate measure of overall system effectiveness.

In practice, you can use trade-off graphs and other styles of analysis to get estimates of system effectiveness. These work in the way a gold prospector would, and look at rates of return of detection as you dig deeper into the pile of potential alerts that could be generated. Even with these approaches, it is still impossible to know all the unknowns.

Two takeaways …

First, next time you are asked how effective your AML transaction monitoring solution is perhaps you should give the real answer “it is impossible to know” and then qualify it with the evidence that you have as to why your teams look at the number of alerts that they do and the trade-offs that this represents.

Second, as an industry, we should focus on relative measures of effectiveness and look towards the incremental improvement of these over time. You may not know the absolute end goal of the effectiveness of your systems and processes, but the incremental improvement over time means that wherever that goal is you will be moving in the right direction.

Finally, if you have found this interesting you might also like my article on the challenges of non-verifiable judgements and why fast feedback loops are essential to improve the performance of compliance (and other) systems.

Compliance risk and non-verifiable judgments

I’ve recently started reading Daniel Kahneman’s new book “Noise“. Like his previous book “Thinking, Fast and Slow” it’s what I would call a contemplative read, one that introduces concepts and stimulates thinking. I like these kinds of books. One of the concepts in “Noise” that he considers (in chapter 4, I’m still reading!) is that of verifiable and non-verifiable judgments.

Noise: The new book from the authors of ‘Thinking, Fast and Slow’ and ‘Nudge’ by [Daniel Kahneman, Olivier Sibony, Cass R. Sunstein]

In short, a verifiable judgment is one where the outcome can be verified. So predicting tomorrow’s weather is a verifiable judgment as you can very quickly validate whether the prediction of rain or shine was correct. In business and life, many decisions are verifiable but others, many of the most important ones you will make, are non-verifiable. This can be because at the point that the judgment is made they are impossible to test, have dependencies in how they play out, or that the time frame for validation is just too long.

Making a decision on the right business strategy. Selecting your partner for life. Lowering emissions to address global warming. At the critical decision point that these are made, these judgments all fall into the non-verifiable category. They may have been informed by the best available evidence, business trends, dating history, or scientific principles, but the timeline and dependencies make the actual judgments non-verifiable. As Steve Jobs suggests you need the luxury of hindsight to really prove you are right, so you have to trust in the judgments that you make.

“You can’t connect the dots looking forward; you can only connect them looking backwards. So you have to trust that the dots will somehow connect in your future”

Steve Jobs, 2005 Commencement Address

The world of risk, compliance, and financial crime prevention is full of non-verifiable judgments. As a financial crime officer, you have to make judgments on your risk policy and decide if it sufficiently protects your institution from financial crime or future regulatory action. In the last few years, we have seen a significant regulatory push for attestation and senior management accountability. This is all about trying to make those non-verifiable judgments verifiable, or at least to ensure sufficient due diligence is done in policy and process implementation and ongoing review.

Life would be easier if every judgment was verifiable. For this to happen we need things to be measurable, testable, and have rapid feedback to assess results and outcomes. We proved years ago that this is possible for sanctions filters, where outcomes can be measured against synthesized data and matched to the risk policy. There have been a few attempts to do the same for other areas of AML such as transaction monitoring but these are more difficult problems. It is possible to validate thresholds and settings of transaction monitoring tools but to answer the question of whether those systems are keeping money launderers at bay is one that puts us back into the land of non-verifiable judgments. This is especially true given a global regulatory framework that provides limited direct feedback on results against the millions of suspicious activity reports that are filed by banks and financial institutions annually.

In the new digital world, it is possible to verify the impact of website and mobile app changes, marketing campaigns, and sales initiatives in days rather than years or months. The speed of feedback for regulatory compliance looks archaic in comparison.

There are two take-aways here.

The first, that there is still a huge market opportunity for someone that can really crack the challenge of creating tools to make AML transaction monitoring and other compliance systems truly verifiable. Vendors continue to try, BAE Systems, Cable, AML Analytics, and others are moving in this direction but no one yet is doing it well. And anyway, shouldn’t these be capabilities be embedded in the AML transaction monitoring systems themselves?

The second, that there is no surprise that we already have evidence that fast feedback and qualified outcomes work. The UK National Crime Agency reports significantly better outcomes for Defence Against Money Laundering (DAML) over traditional suspicious activity reporting. DAMLs provide a fast feedback loop that allows iteration and improvement that helps make some of those non-verifiable judgments verifiable. One day all compliance will work this way!

Back to the efuture: eIDAS & the new European Digital Identity Framework

Last week (3 & 4 June 2021) the EU announced simultaneously the death of eIDAS and launched a brand new European Digital Identity Framework. Taking both a step backward and another forward in a move towards the digital e-future.

eIDAS had promised a vision of the future where electronic signatures and other trust services across the EU would remove need for physical signature and proof of identity. In its youtube video these services were set to be available by 2019. It is a shame that things didn’t move as fast as hoped.

In the report on “the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)” the Council of the European Union stated:

The current eIDAS Regulation cannot address these new market demands given its inherent limitations to the public sector, the complexity for online private providers to connect to the system, its insufficient availability in all Member States and its lack of flexibility to support a variety of cases.

So eIDAS is dead, well not quite. The commission is now rallying behind the new European Digital Identity Framework, designed to deal with many of the problems that eIDAS set out to fix.

Citizens will be able to prove their identity and share electronic documents from their European Digital Identity wallets with the click of a button on their phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe.

This is good news for all of us that believe that digital identity is the missing link that binds payments and compliance, and will solve the age-old problem of proving you really are who you say you are.

But we are not quite there yet. The commission wants to make digital identity a reality as soon as possible and suggests an aggressive timeframe to create a common toolbox by September 2022, with a target in the Commissions Digital Compass of 80% of citizens using digital ID by 2030.

So, not a quick fix for the current know-your-customer, customer due diligence, and on-boarding challenges faced by most of Europe’s banks! But another step in the right direction.