UK Fraud Strategy

Or should that be counter fraud strategy …

On 3 May the UK government published its new “Fraud Strategy: stopping scams and protecting the public” and an accompanying “what it means to you” overview.

Not quite the “fundamental shift” in approach that is mentioned in the introduction, but there are some useful steps forward. Most of the press has focussed on the clampdown on cold calling and SMS scams that have led to a rise in authorised push payment (APP) fraud in the UK, Acton Fraud will be replaced and there will be a new 400 person National Fraud Squad (NFS) created.

A couple of items of more interest that have gained less attention.

Firstly, in the age of instant payments the new UK strategy seeks to “help banks slow down suspicious payments”.

And secondly, the Economic Crime and Corporate Transparency (ECCT) Bill will help in providing safe harbour for those that share data to address economic crime:

Expect to see a 10% reduction from 2019 pre-Covid levels by the end of this Parliament!

5 RegTechs to Watch

I was asked today which companies I think have the opportunity to change the way that we think about RegTech. Here’s my list and the reasons why.

There are some great larger organizations, but I’ve deliberately focussed on less well-known or smaller players. And I’ve also tried to pick those that are doing something quite different or operating in an area that is on the cusp of change.

In no particular order:

Neterium : Sanctions Screening

Fircosoft (LexisNexis Accuity) remains the dominant player in transaction screening, but otherwise, the sanctions screening market is extremely fragmented both at the enterprise level (BAE, Actimize etc), platform market (Temenos, FiServ), and with many small vendors (FinScan, ComplyAdvantage). Even though they are all building and promoting their own engines, the market has remained pretty much unchallenged in terms of technology and approach for the last 10 years. But the problem space has changed significantly.

Historically, customer onboarding didn’t require a high precision filter as processes were very manual. With automated workflows and customer experience the new priority, this is no longer the case. In the transaction space investment in sanctions was seen as a sunk cost by treasury teams and not something they were keen to change or improve – it’s now a cost that banks want to shift and the friction that filters create is unacceptable, again impacts customer experience, and is a principle reason why payments are so slow.

There’s an opportunity for the right product to disrupt the space and the Neterium team has the credibility of having done it before. If they don’t get there, then someone else will. If it is not Neterium then I would look to APAC or UAE given the additional challenges that those geographies have on character sets.

HelloFlow: KYC On-Boarding

A tiny startup that is taking a very different customer and application-centric approach to the customer onboarding process. Given their size, they may struggle to get a foothold in the market, but the demo on their website offers a glimpse of how onboarding flows can be easily automated. This could accelerate onboarding for fintech challengers, and ease adoption and adaption pains as they grow into new markets and create new products. More radically, the technology could allow big banks to catch up with the challengers in terms of agility and customer experience.

Tookitaki: AML Transaction Monitoring

So fundamentally AML transaction monitoring is really in need of a reboot, and I’ve not seen anyone yet that really has the vision to make a real change in this area. Today the trend is to improve, rather than replace the underlying transaction monitoring systems, and there are two ways people are working to do this.

The first approach is to streamline investigations through robotic process automation (RPA) and data consolidation, ensuring the analyst has a complete, informed, and re-prioritized view of risk. There are many vendors doing flavors of this: Blue Prism, DataRobot, Arachnys, Quantexa – all with their own merits.

The second is to optimize detection performance.

Tookitaki is in this second group, competing with the consultants who see it as a process problem (PWC, Deloitte etc), the toolkit vendors that see it as an artificial intelligence challenge (C3AI, SAS), and others that may be more focussed on sanctions than AML (e.g. Silent 8).

Tookitaki seems to be ahead in terms of its approach, analyst presence, and overall potential. They also have stronger regulatory ties which give them advantages given the sensitivity of this space.

Ravelin: Fraud Prevention

With a move to online, the fraud problem becomes a burden carried by the merchants and not by the banks. Ravelin was one of the first to offer API integration at merchant checkout that both addresses the merchant fraud problem and enhances the customer experience.

Compared to the fraud models that are applied by the banks, who only see transaction value, place, and time info, Ravelin can monitor the customer activity in more detail. They can understand purchase history, consider the modes of fraud associated with particular goods and services, scan IP information, and even consider customer dwell times.

Given that the old card issuer / merchant acquirer models are under threat from EPI in Europe and direct-to-account payment initiatives are being pushed by everyone (even the card schemes!), it would seem that there’s an opportunity in this area and those that offer easy integration and a complete holistic view of risk will win out.

Apiax: Regulation

The bridge between regulation and what gets implemented at an institutional level is a difficult one to build and has historically been filled by a combination of specialist advice, from big consultancies, legal firms, or specialist consultants and online news and training services such as those offered by Thomson Reuters, LexisNexis, and ACAMS. Consultants are engaged to build the compliance processes at your organization to align with regulations and the news services keep you up-to-date on changes.

The challenge with these approaches is that they do not make the mapping from regulation to implementation easy. And also don’t future proof an organization as regulatory requirements change, new products are introduced, or business shifts to new geographies.

Apiax is trying to become the new bridge. Joining regulation, to rules, to implementation. In theory, their approach could allow a FinTech to set up shop and be compliant with regulation without ever having to have engaged with lawyers or employed domain specialists to guide their implementations. Although this would probably not be viable in practice, many startups and even established institutions could accelerate time to market with this sort of approach.

Final Thoughts

I continue to be excited and inspired by the rate of change in the RegTech space. There are numerous other companies that I know of that could easily have made the above list, and probably even more that I’ve yet to encounter.

The above represents my own opinions, so please take it at face value.

Finally, if you want to have a conversation on any of this please get in touch.

The Lazurus Hei$t

Excellent and well worth a listen, The Lazurus Hei$t, a new BBC World Service podcast, tells the story of the Bangladesh Bank robbery and the attempted theft of a billion dollars by the North Korean-linked Lazurus Group. The tale has it all, financial and personal impacts of the Sony Pictures cyber-hack, state sponsorship of cyber-crime, the creation of counterfeit currency that’s almost better than the original, hacker hotels, hacking of payment systems at Bangladesh Bank, the movement of 500kg of cash from bank premises with faulty CCTV, laundering of funds through an unregulated Filipino casino system, Japanese links to the North Korean leadership dynasty, abuse of the charity sector, and more casino mayhem in Macau.

A fantastic plot for a fictional movie, if the story wasn’t true.

One somewhat ironic take-away from it all (in a Scooby-Doo style) is that they would’ve got away with it if it hadn’t been for those pesky sanctions filters. A reported $1 billion transfer from the Federal Reserve Bank of New York, on behalf of Bangladesh Bank, to the Philipines based Rizal Commercial Banking Corp (RCBC) was never sent as the transfer to the branch location in Jupiter Street in Manila hit an OFAC SDN sanctions entry for “Jupiter“, an Iranian vessel. Another $20 million was stopped by another sanctions filter hit at Deutsche Bank against a spelling error of “fundation” where the hackers had tried to direct the funds to a, not entirely legitimate, nonprofit foundation in Sri Lanka.

Sanctions filter hit rates can be really bad, and often as poor as 1 in 20, that is one in every twenty transactions stopped for review when the filters are badly built or misconfigured. Of those hits, only a tiny fraction, less than 1%, are ever then reported as illegitimate transactions to regulators, so most of the work done by sanctions teams is wasted effort.

So the unanswered question “inefficient sanctions filters, a blessing or curse”? Well in this instance sanctions filters saved the day but more typically they are just creating cost and inconvenience for legitimate customers. Fixing and streamlining the poor quality of sanctions filtering is long overdue. It would remove cost, improve compliance, improve the speed and certainty of payments, and lead to a better customer experience.

And as to stopping those fraudulent payments, that’s the role of fraud prevention tools – not something detected by accident!

NCA – Annual Threat Assessment

The National Criminal Investigation agency has just published its annual threat assessment.

A very interesting report full of facts and figures and some lovely info-graphics. Strong evidence this year of Covid-19 playing its role in the changing landscape of crime and a clear demonstration of how quickly criminals adapt.

Many insights make depressing reading. Over £12bn of criminal cash generated annually, the scale of money laundering in the hundreds of billions, money mule activity, cyber-crime, ransomware and crypto-asset laundering on the up, child sex abuse increasing due to lockdown and increased online access, fraud at £3bn …

Sometimes though bigger numbers aren’t always bad. Here’s two that I’ll take as positives:

  • £172 million was denied to suspected criminals as a result of defence against money laundering requests (up by 31% – see the SARs Annual Report for detail);  and
  • £982 million of potential financial sanctions breaches were reported in the year ending March 2020. A 3.7 times increase from £262 million in 2018/2019.

Two indicators that firms are doing a better job in relation to financial crime compliance. More reports, more investigations, more disruption of criminal gangs.