New PSR rules will change the shape of fraud and AML teams

The new PSR rules, announced this week, radically change the liability landscape for firms and will fundamentally change the way they need to structure their fraud and AML compliance processes.

With some simplification, let me explain this statement …

There’s always two sides to every transaction – a sender and a receiver.

Fraud prevention

Fraud prevention systems have, in the main, been built to focus on transactions that are sent. They’ve been built to mitigate the liability of potential losses and to protect customer account holders – the people or companies sending the transactions.

Fraud prevention systems are the ‘hares’ of the compliance world. They run in realtime, interdicting payments, to stop losses before the transaction leaves the sending institution.

Fraud prevention systems don’t, as a rule, consider or focus in detail on received payments. This is not because the institutions don’t believe that their own accounts may be risky , but because the liability for any loss on a payment has always historically sat very squarely with the payment sender.

Anti-Money Laundering

So what about received funds? Typically these are monitored by firms from an AML “proceeds of crime” perspective in order to detect suspicious activity as part of the ins and outs of account flows. These systems also look at sent transactions as well.

AML monitoring processes are the “tortoises” of the financial crime compliance world. They are typically slow and batch based. They look at longer term patterns of account and customer activity to identify money laundering risks. They don’t interdict or stop transactions. Their raison d’etre is to report suspicious activity rather than to prevent it from happening.

So what’s changed?

In a bid to tackle the rising rate of Advance Push Payment (APP) fraud, the Payment Systems Regulator (PSR) announced last week new rules for Faster Payments will mean that both sending and receiving firms are incentivised to act to take action on fraud. Both will become liable for the losses and will split the costs of reimbursement 50:50. 

Firms will need to adapt their fraud controls to look at both sent and received payments. This change will drive the continued convergence of Fraud and AML (FRAML!), both from technology and operational perspectives. If you are monitoring both inbound and outbound transactions in realtime to prevent fraud, why not do the same for AML? Why have two systems that are looking at the same data if they can be rationalised into one? Why have two teams when one combined approach could offer the best of both worlds?

To finish …

The new PSR rules set a new regulatory direction, firms hold a responsibility to monitor all transactions and customer account activity from both an AML proceeds of crime and a fraud prevention perspective. The 50:50 reimbursement split may be seen by some as controversial but will lead to greater levels of cooperation within and between firms that will help drive new models for fraud and AML.

How much are your AML controls worth?

Always an interesting question to ask given that appropriate anti-money laundering controls are requirement to hold and retain a banking license, or any other business license to operate in a regulated sector.

This week the answer is $13.4bn or perhaps $200m depending on whether you measure opportunity or cost.

This week TD Bank pulled out of a $13.4bn acquisition of First Horizon. Preventing the Canadian bank from becoming the sixth largest lender in the US and costing the TD $200m in a cash payment to First Horizon as a penalty to not complete the deal.

In response to the news, First Horizon came off even worse with shares plunging to a new low and a market capitalisation falling to less than $6bn.

The deal was ultimately scuppered following multiple delays following the Office of the Comptroller of the Currency and the Federal Reserve raising concerns over TD Bank’s handling of unusual transactions and its timeliness in reporting suspicious activity to them.

Other than a recent small value OFAC fine in 2021 ($115k) , TD has brushed more with regulators on themes relating to investor and consumer protection.

Either US regulators were being protective of their domestic market or perhaps there is yet more to unravel on this story

OFAC continue their focus on corporates

OFAC have just announced a $5 million settlement agreement with a Hong Kong and China based firm, Sojitz (Hong Kong) Limited. The fine was for US dollar cross-border transactions relating to trade with Iran for Iranian-origin high density polyethylene resin (HDPE) purchased in Thailand. This continues the general trend of more focus and fines for sanctions violations by corporates.

The settlement agreement provides details of employees hiding and removing information from their compliance team and going ahead with payments even when informed not to.

HDPE

Takeaways are the obvious:

  • Employees (at all levels) need to be open, honest and transparent about country of origin information and not remove this information or obscure it from compliance teams
  • If ‘errors’ happen then self-disclosure is always the right course of action. Total value of USD transactions was $75 million so the fine could have been a lot more had they not self-disclosed (up to $150 million given an egregious violation).

And perhaps most obvious, if you are to trade in goods with Iranian provenance, don’t pay in US dollars!

5 RegTechs to Watch

I was asked today which companies I think have the opportunity to change the way that we think about RegTech. Here’s my list and the reasons why.

There are some great larger organizations, but I’ve deliberately focussed on less well-known or smaller players. And I’ve also tried to pick those that are doing something quite different or operating in an area that is on the cusp of change.

In no particular order:

Neterium : Sanctions Screening

Fircosoft (LexisNexis Accuity) remains the dominant player in transaction screening, but otherwise, the sanctions screening market is extremely fragmented both at the enterprise level (BAE, Actimize etc), platform market (Temenos, FiServ), and with many small vendors (FinScan, ComplyAdvantage). Even though they are all building and promoting their own engines, the market has remained pretty much unchallenged in terms of technology and approach for the last 10 years. But the problem space has changed significantly.

Historically, customer onboarding didn’t require a high precision filter as processes were very manual. With automated workflows and customer experience the new priority, this is no longer the case. In the transaction space investment in sanctions was seen as a sunk cost by treasury teams and not something they were keen to change or improve – it’s now a cost that banks want to shift and the friction that filters create is unacceptable, again impacts customer experience, and is a principle reason why payments are so slow.

There’s an opportunity for the right product to disrupt the space and the Neterium team has the credibility of having done it before. If they don’t get there, then someone else will. If it is not Neterium then I would look to APAC or UAE given the additional challenges that those geographies have on character sets.

HelloFlow: KYC On-Boarding

A tiny startup that is taking a very different customer and application-centric approach to the customer onboarding process. Given their size, they may struggle to get a foothold in the market, but the demo on their website offers a glimpse of how onboarding flows can be easily automated. This could accelerate onboarding for fintech challengers, and ease adoption and adaption pains as they grow into new markets and create new products. More radically, the technology could allow big banks to catch up with the challengers in terms of agility and customer experience.

Tookitaki: AML Transaction Monitoring

So fundamentally AML transaction monitoring is really in need of a reboot, and I’ve not seen anyone yet that really has the vision to make a real change in this area. Today the trend is to improve, rather than replace the underlying transaction monitoring systems, and there are two ways people are working to do this.

The first approach is to streamline investigations through robotic process automation (RPA) and data consolidation, ensuring the analyst has a complete, informed, and re-prioritized view of risk. There are many vendors doing flavors of this: Blue Prism, DataRobot, Arachnys, Quantexa – all with their own merits.

The second is to optimize detection performance.

Tookitaki is in this second group, competing with the consultants who see it as a process problem (PWC, Deloitte etc), the toolkit vendors that see it as an artificial intelligence challenge (C3AI, SAS), and others that may be more focussed on sanctions than AML (e.g. Silent 8).

Tookitaki seems to be ahead in terms of its approach, analyst presence, and overall potential. They also have stronger regulatory ties which give them advantages given the sensitivity of this space.

Ravelin: Fraud Prevention

With a move to online, the fraud problem becomes a burden carried by the merchants and not by the banks. Ravelin was one of the first to offer API integration at merchant checkout that both addresses the merchant fraud problem and enhances the customer experience.

Compared to the fraud models that are applied by the banks, who only see transaction value, place, and time info, Ravelin can monitor the customer activity in more detail. They can understand purchase history, consider the modes of fraud associated with particular goods and services, scan IP information, and even consider customer dwell times.

Given that the old card issuer / merchant acquirer models are under threat from EPI in Europe and direct-to-account payment initiatives are being pushed by everyone (even the card schemes!), it would seem that there’s an opportunity in this area and those that offer easy integration and a complete holistic view of risk will win out.

Apiax: Regulation

The bridge between regulation and what gets implemented at an institutional level is a difficult one to build and has historically been filled by a combination of specialist advice, from big consultancies, legal firms, or specialist consultants and online news and training services such as those offered by Thomson Reuters, LexisNexis, and ACAMS. Consultants are engaged to build the compliance processes at your organization to align with regulations and the news services keep you up-to-date on changes.

The challenge with these approaches is that they do not make the mapping from regulation to implementation easy. And also don’t future proof an organization as regulatory requirements change, new products are introduced, or business shifts to new geographies.

Apiax is trying to become the new bridge. Joining regulation, to rules, to implementation. In theory, their approach could allow a FinTech to set up shop and be compliant with regulation without ever having to have engaged with lawyers or employed domain specialists to guide their implementations. Although this would probably not be viable in practice, many startups and even established institutions could accelerate time to market with this sort of approach.

Final Thoughts

I continue to be excited and inspired by the rate of change in the RegTech space. There are numerous other companies that I know of that could easily have made the above list, and probably even more that I’ve yet to encounter.

The above represents my own opinions, so please take it at face value.

Finally, if you want to have a conversation on any of this please get in touch.

Money laundering deadline approaching …

Today, 23 June 2021, the new polymer £50 note will enter circulation, and the Bank of England have announced that 30 September 2022 will be the last day you can use Bank of England paper £20 and £50 notes.

So if you have £5 million of illicit gains stuffed under your mattress then you probably need to get your skates on and start laundering!

Two obvious questions. First, as we transition to digital payments is this the right time to be sustaining the life of a high-value note, more favoured by money launderers than legitimate citizens? Second, as was done in the wake of the Northern Bank robbery, why haven’t central banks used the regular re-issuance of notes as part of a strategy to make crime less profitable? Perhaps, an intelligent feature required as part of the the Bank of England’s Central Bank Digital Currency (CBDC) strategy?

The Lazurus Hei$t

Excellent and well worth a listen, The Lazurus Hei$t, a new BBC World Service podcast, tells the story of the Bangladesh Bank robbery and the attempted theft of a billion dollars by the North Korean-linked Lazurus Group. The tale has it all, financial and personal impacts of the Sony Pictures cyber-hack, state sponsorship of cyber-crime, the creation of counterfeit currency that’s almost better than the original, hacker hotels, hacking of payment systems at Bangladesh Bank, the movement of 500kg of cash from bank premises with faulty CCTV, laundering of funds through an unregulated Filipino casino system, Japanese links to the North Korean leadership dynasty, abuse of the charity sector, and more casino mayhem in Macau.

A fantastic plot for a fictional movie, if the story wasn’t true.

One somewhat ironic take-away from it all (in a Scooby-Doo style) is that they would’ve got away with it if it hadn’t been for those pesky sanctions filters. A reported $1 billion transfer from the Federal Reserve Bank of New York, on behalf of Bangladesh Bank, to the Philipines based Rizal Commercial Banking Corp (RCBC) was never sent as the transfer to the branch location in Jupiter Street in Manila hit an OFAC SDN sanctions entry for “Jupiter“, an Iranian vessel. Another $20 million was stopped by another sanctions filter hit at Deutsche Bank against a spelling error of “fundation” where the hackers had tried to direct the funds to a, not entirely legitimate, nonprofit foundation in Sri Lanka.

Sanctions filter hit rates can be really bad, and often as poor as 1 in 20, that is one in every twenty transactions stopped for review when the filters are badly built or misconfigured. Of those hits, only a tiny fraction, less than 1%, are ever then reported as illegitimate transactions to regulators, so most of the work done by sanctions teams is wasted effort.

So the unanswered question “inefficient sanctions filters, a blessing or curse”? Well in this instance sanctions filters saved the day but more typically they are just creating cost and inconvenience for legitimate customers. Fixing and streamlining the poor quality of sanctions filtering is long overdue. It would remove cost, improve compliance, improve the speed and certainty of payments, and lead to a better customer experience.

And as to stopping those fraudulent payments, that’s the role of fraud prevention tools – not something detected by accident!