OFSI Annual Review – 2022-2023

Sneaking in at the end of last year, OFSI (Office of Financial Sanctions Implementation HM Treasury) published their annual review. Or at least, the annual review running to March 2023, so a document that is some 9 months in the making!

Headlines, assuming that you can call them headlines given that the document is essentially out-of-date the moment that it was published, centred on Russian sanctions relating to the war in Ukraine, new cyber designations, and the growth of OFSI staff by 96 FTE. But no headline grabbing enforcement numbers. Between April 2022 and March 2023, OFSI issued just two monetary penalties with a combined value of £45,000.

As of March 2023 there were 3883 designations across 35 regimes, this compares to 3121 at March 2022, close to a 25% growth.

£21.6 billion of funds were reported to OFSI as frozen as of September 2022, an increase of £9.2 billion since 2021. In year reporting between February 2022 and October 2023 presents the impact of Russian sanctions with £22.7 billion of assets frozen.

It will be interesting to see the final impacts in the 2023-2024 report.

New PSR rules will change the shape of fraud and AML teams

The new PSR rules, announced this week, radically change the liability landscape for firms and will fundamentally change the way they need to structure their fraud and AML compliance processes.

With some simplification, let me explain this statement …

There’s always two sides to every transaction – a sender and a receiver.

Fraud prevention

Fraud prevention systems have, in the main, been built to focus on transactions that are sent. They’ve been built to mitigate the liability of potential losses and to protect customer account holders – the people or companies sending the transactions.

Fraud prevention systems are the ‘hares’ of the compliance world. They run in realtime, interdicting payments, to stop losses before the transaction leaves the sending institution.

Fraud prevention systems don’t, as a rule, consider or focus in detail on received payments. This is not because the institutions don’t believe that their own accounts may be risky , but because the liability for any loss on a payment has always historically sat very squarely with the payment sender.

Anti-Money Laundering

So what about received funds? Typically these are monitored by firms from an AML “proceeds of crime” perspective in order to detect suspicious activity as part of the ins and outs of account flows. These systems also look at sent transactions as well.

AML monitoring processes are the “tortoises” of the financial crime compliance world. They are typically slow and batch based. They look at longer term patterns of account and customer activity to identify money laundering risks. They don’t interdict or stop transactions. Their raison d’etre is to report suspicious activity rather than to prevent it from happening.

So what’s changed?

In a bid to tackle the rising rate of Advance Push Payment (APP) fraud, the Payment Systems Regulator (PSR) announced last week new rules for Faster Payments will mean that both sending and receiving firms are incentivised to act to take action on fraud. Both will become liable for the losses and will split the costs of reimbursement 50:50. 

Firms will need to adapt their fraud controls to look at both sent and received payments. This change will drive the continued convergence of Fraud and AML (FRAML!), both from technology and operational perspectives. If you are monitoring both inbound and outbound transactions in realtime to prevent fraud, why not do the same for AML? Why have two systems that are looking at the same data if they can be rationalised into one? Why have two teams when one combined approach could offer the best of both worlds?

To finish …

The new PSR rules set a new regulatory direction, firms hold a responsibility to monitor all transactions and customer account activity from both an AML proceeds of crime and a fraud prevention perspective. The 50:50 reimbursement split may be seen by some as controversial but will lead to greater levels of cooperation within and between firms that will help drive new models for fraud and AML.

Compliance will be focus for Generative AI

According to a new report by Accenture, banking and insurance are the two sectors where Generative AI will have the greatest impact and have the highest potential for automation.

They also identify “Office and Administrative Support” and “Business and Financial Operations” as two job of the top 4 job categories that are set for transformation. Job categories most associated with financial crime compliance.

Institutions have seen a rise in compliance costs of 19% between 2020 and 2022, according to LexisNexis, and the UK now spends a staggering £34.2 billion fighting financial crime. 60.6% of these costs are related to employees and training. Two areas where Generative AI could provide significant cost reductions.

No surprise then that Accenture suggests that “generative AI will support enterprise governance and information security, protecting against fraud, improving regulatory compliance, and proactively identifying risk by drawing cross-domain connections and inferences both within and outside the organization”.