OFSI Annual Review – 2022-2023

Sneaking in at the end of last year, OFSI (Office of Financial Sanctions Implementation HM Treasury) published their annual review. Or at least, the annual review running to March 2023, so a document that is some 9 months in the making!

Headlines, assuming that you can call them headlines given that the document is essentially out-of-date the moment that it was published, centred on Russian sanctions relating to the war in Ukraine, new cyber designations, and the growth of OFSI staff by 96 FTE. But no headline grabbing enforcement numbers. Between April 2022 and March 2023, OFSI issued just two monetary penalties with a combined value of £45,000.

As of March 2023 there were 3883 designations across 35 regimes, this compares to 3121 at March 2022, close to a 25% growth.

£21.6 billion of funds were reported to OFSI as frozen as of September 2022, an increase of £9.2 billion since 2021. In year reporting between February 2022 and October 2023 presents the impact of Russian sanctions with £22.7 billion of assets frozen.

It will be interesting to see the final impacts in the 2023-2024 report.

FCA Enforcement Trends – 2 Takeaways

At the end of July the FCA published it’s annual report and latest operating metrics which includes details on enforcement trends.

Two quick take-aways:

1. Financial Penalties Have Reduced

Total value and size of fines has dropped from those reported in period 2021/22. The value is down from £313m in 2021/222 to £199m in 2022/23 with numbers increased from 11 to 24. The penalties were dominated by the £107.7m for Santander UK, announced in December 2022, for repeated anti-money laundering failures.

2. Investigations Are Taking Longer

The average time to complete investigations is now 41 months. Increasing from 34 months in 2021/22 and just 25 months in 2020/21. Regulatory and criminal investigations rates have slowed considerably.

New PSR rules will change the shape of fraud and AML teams

The new PSR rules, announced this week, radically change the liability landscape for firms and will fundamentally change the way they need to structure their fraud and AML compliance processes.

With some simplification, let me explain this statement …

There’s always two sides to every transaction – a sender and a receiver.

Fraud prevention

Fraud prevention systems have, in the main, been built to focus on transactions that are sent. They’ve been built to mitigate the liability of potential losses and to protect customer account holders – the people or companies sending the transactions.

Fraud prevention systems are the ‘hares’ of the compliance world. They run in realtime, interdicting payments, to stop losses before the transaction leaves the sending institution.

Fraud prevention systems don’t, as a rule, consider or focus in detail on received payments. This is not because the institutions don’t believe that their own accounts may be risky , but because the liability for any loss on a payment has always historically sat very squarely with the payment sender.

Anti-Money Laundering

So what about received funds? Typically these are monitored by firms from an AML “proceeds of crime” perspective in order to detect suspicious activity as part of the ins and outs of account flows. These systems also look at sent transactions as well.

AML monitoring processes are the “tortoises” of the financial crime compliance world. They are typically slow and batch based. They look at longer term patterns of account and customer activity to identify money laundering risks. They don’t interdict or stop transactions. Their raison d’etre is to report suspicious activity rather than to prevent it from happening.

So what’s changed?

In a bid to tackle the rising rate of Advance Push Payment (APP) fraud, the Payment Systems Regulator (PSR) announced last week new rules for Faster Payments will mean that both sending and receiving firms are incentivised to act to take action on fraud. Both will become liable for the losses and will split the costs of reimbursement 50:50. 

Firms will need to adapt their fraud controls to look at both sent and received payments. This change will drive the continued convergence of Fraud and AML (FRAML!), both from technology and operational perspectives. If you are monitoring both inbound and outbound transactions in realtime to prevent fraud, why not do the same for AML? Why have two systems that are looking at the same data if they can be rationalised into one? Why have two teams when one combined approach could offer the best of both worlds?

To finish …

The new PSR rules set a new regulatory direction, firms hold a responsibility to monitor all transactions and customer account activity from both an AML proceeds of crime and a fraud prevention perspective. The 50:50 reimbursement split may be seen by some as controversial but will lead to greater levels of cooperation within and between firms that will help drive new models for fraud and AML.

How much are your AML controls worth?

Always an interesting question to ask given that appropriate anti-money laundering controls are requirement to hold and retain a banking license, or any other business license to operate in a regulated sector.

This week the answer is $13.4bn or perhaps $200m depending on whether you measure opportunity or cost.

This week TD Bank pulled out of a $13.4bn acquisition of First Horizon. Preventing the Canadian bank from becoming the sixth largest lender in the US and costing the TD $200m in a cash payment to First Horizon as a penalty to not complete the deal.

In response to the news, First Horizon came off even worse with shares plunging to a new low and a market capitalisation falling to less than $6bn.

The deal was ultimately scuppered following multiple delays following the Office of the Comptroller of the Currency and the Federal Reserve raising concerns over TD Bank’s handling of unusual transactions and its timeliness in reporting suspicious activity to them.

Other than a recent small value OFAC fine in 2021 ($115k) , TD has brushed more with regulators on themes relating to investor and consumer protection.

Either US regulators were being protective of their domestic market or perhaps there is yet more to unravel on this story

UK Fraud Strategy

Or should that be counter fraud strategy …

On 3 May the UK government published its new “Fraud Strategy: stopping scams and protecting the public” and an accompanying “what it means to you” overview.

Not quite the “fundamental shift” in approach that is mentioned in the introduction, but there are some useful steps forward. Most of the press has focussed on the clampdown on cold calling and SMS scams that have led to a rise in authorised push payment (APP) fraud in the UK, Acton Fraud will be replaced and there will be a new 400 person National Fraud Squad (NFS) created.

A couple of items of more interest that have gained less attention.

Firstly, in the age of instant payments the new UK strategy seeks to “help banks slow down suspicious payments”.

And secondly, the Economic Crime and Corporate Transparency (ECCT) Bill will help in providing safe harbour for those that share data to address economic crime:

Expect to see a 10% reduction from 2019 pre-Covid levels by the end of this Parliament!

OFAC continue their focus on corporates

OFAC have just announced a $5 million settlement agreement with a Hong Kong and China based firm, Sojitz (Hong Kong) Limited. The fine was for US dollar cross-border transactions relating to trade with Iran for Iranian-origin high density polyethylene resin (HDPE) purchased in Thailand. This continues the general trend of more focus and fines for sanctions violations by corporates.

The settlement agreement provides details of employees hiding and removing information from their compliance team and going ahead with payments even when informed not to.


Takeaways are the obvious:

  • Employees (at all levels) need to be open, honest and transparent about country of origin information and not remove this information or obscure it from compliance teams
  • If ‘errors’ happen then self-disclosure is always the right course of action. Total value of USD transactions was $75 million so the fine could have been a lot more had they not self-disclosed (up to $150 million given an egregious violation).

And perhaps most obvious, if you are to trade in goods with Iranian provenance, don’t pay in US dollars!

U.S. Department of Treasury Sanctions Review

On Monday (18 October 2021) the U.S. Department of Treasury released its 2021 Sanctions Review.
The report presents some welcome directions: enhanced multilateral coordination, avoidance of unintended consequences, clarity and reversibility, and the need to modernize. 
But it also reminds us why sanctions implementation continues to be an enormous industry pain point, slowing customer on-boarding, creating friction in the payment chain, and creating a compelling need for new technologies and approaches.
A 933% increase in OFAC sanctions designations in the last 20 years!

5 RegTechs to Watch

I was asked today which companies I think have the opportunity to change the way that we think about RegTech. Here’s my list and the reasons why.

There are some great larger organizations, but I’ve deliberately focussed on less well-known or smaller players. And I’ve also tried to pick those that are doing something quite different or operating in an area that is on the cusp of change.

In no particular order:

Neterium : Sanctions Screening

Fircosoft (LexisNexis Accuity) remains the dominant player in transaction screening, but otherwise, the sanctions screening market is extremely fragmented both at the enterprise level (BAE, Actimize etc), platform market (Temenos, FiServ), and with many small vendors (FinScan, ComplyAdvantage). Even though they are all building and promoting their own engines, the market has remained pretty much unchallenged in terms of technology and approach for the last 10 years. But the problem space has changed significantly.

Historically, customer onboarding didn’t require a high precision filter as processes were very manual. With automated workflows and customer experience the new priority, this is no longer the case. In the transaction space investment in sanctions was seen as a sunk cost by treasury teams and not something they were keen to change or improve – it’s now a cost that banks want to shift and the friction that filters create is unacceptable, again impacts customer experience, and is a principle reason why payments are so slow.

There’s an opportunity for the right product to disrupt the space and the Neterium team has the credibility of having done it before. If they don’t get there, then someone else will. If it is not Neterium then I would look to APAC or UAE given the additional challenges that those geographies have on character sets.

HelloFlow: KYC On-Boarding

A tiny startup that is taking a very different customer and application-centric approach to the customer onboarding process. Given their size, they may struggle to get a foothold in the market, but the demo on their website offers a glimpse of how onboarding flows can be easily automated. This could accelerate onboarding for fintech challengers, and ease adoption and adaption pains as they grow into new markets and create new products. More radically, the technology could allow big banks to catch up with the challengers in terms of agility and customer experience.

Tookitaki: AML Transaction Monitoring

So fundamentally AML transaction monitoring is really in need of a reboot, and I’ve not seen anyone yet that really has the vision to make a real change in this area. Today the trend is to improve, rather than replace the underlying transaction monitoring systems, and there are two ways people are working to do this.

The first approach is to streamline investigations through robotic process automation (RPA) and data consolidation, ensuring the analyst has a complete, informed, and re-prioritized view of risk. There are many vendors doing flavors of this: Blue Prism, DataRobot, Arachnys, Quantexa – all with their own merits.

The second is to optimize detection performance.

Tookitaki is in this second group, competing with the consultants who see it as a process problem (PWC, Deloitte etc), the toolkit vendors that see it as an artificial intelligence challenge (C3AI, SAS), and others that may be more focussed on sanctions than AML (e.g. Silent 8).

Tookitaki seems to be ahead in terms of its approach, analyst presence, and overall potential. They also have stronger regulatory ties which give them advantages given the sensitivity of this space.

Ravelin: Fraud Prevention

With a move to online, the fraud problem becomes a burden carried by the merchants and not by the banks. Ravelin was one of the first to offer API integration at merchant checkout that both addresses the merchant fraud problem and enhances the customer experience.

Compared to the fraud models that are applied by the banks, who only see transaction value, place, and time info, Ravelin can monitor the customer activity in more detail. They can understand purchase history, consider the modes of fraud associated with particular goods and services, scan IP information, and even consider customer dwell times.

Given that the old card issuer / merchant acquirer models are under threat from EPI in Europe and direct-to-account payment initiatives are being pushed by everyone (even the card schemes!), it would seem that there’s an opportunity in this area and those that offer easy integration and a complete holistic view of risk will win out.

Apiax: Regulation

The bridge between regulation and what gets implemented at an institutional level is a difficult one to build and has historically been filled by a combination of specialist advice, from big consultancies, legal firms, or specialist consultants and online news and training services such as those offered by Thomson Reuters, LexisNexis, and ACAMS. Consultants are engaged to build the compliance processes at your organization to align with regulations and the news services keep you up-to-date on changes.

The challenge with these approaches is that they do not make the mapping from regulation to implementation easy. And also don’t future proof an organization as regulatory requirements change, new products are introduced, or business shifts to new geographies.

Apiax is trying to become the new bridge. Joining regulation, to rules, to implementation. In theory, their approach could allow a FinTech to set up shop and be compliant with regulation without ever having to have engaged with lawyers or employed domain specialists to guide their implementations. Although this would probably not be viable in practice, many startups and even established institutions could accelerate time to market with this sort of approach.

Final Thoughts

I continue to be excited and inspired by the rate of change in the RegTech space. There are numerous other companies that I know of that could easily have made the above list, and probably even more that I’ve yet to encounter.

The above represents my own opinions, so please take it at face value.

Finally, if you want to have a conversation on any of this please get in touch.

EBA consults on a new central AML/CFT Database

On 6 May the EBA published details of a consultation on the creation of “Regulatory Technical Standards (RTS) on a central database on anti-money laundering and countering the financing of terrorism (AML/CFT) in the EU”.

The EBA has faced significant criticism in the wake of supervisory issues that emerged from events at Danske Bank. At the start of last year, it announced a new legal mandate that establishes it in a new role to lead, coordinate and monitor the financial sector’s fight against money laundering and terrorist financing across the EU. They published a factsheet on the strategy and approach.

Taken from EBA – Anti-Money Laundering and Countering the Financing of Terrorism, Feb 2020

The new consultation is part of work to create a key tool as part of the new EBA strategy. To establish and keep up-to-date a central database with information on AML/CFT weaknesses that competent authorities (CAs) across the EU have identified in respect of individual financial institutions.

Information sharing, either public or private, relating to financial crime is always a good thing but the focus here seems to be misdirected and could lead to further pressure on banks and FIs without the desired effect of risk reduction. As such the priority seems to be an attempt at fixing the supervisory failings, without turning the spotlight on the supervisors themselves, when it should really be focussed on improving the financial crime compliance outcomes.

It is obvious that competent authorities across the EU, and FIUs globally, should do more to coordinate their efforts to combat financial crime and that information sharing is a key enabler to do this. It is also clear that the assessment of institutions plays a significant role in ensuring safety and soundness – we are only as strong as the weakest link. But, if the technical specifications described in the consultation paper are anything to go by, this new database will just create a further stick to beat the banks with rather than real risk reduction.