08/06/2020

Running remote KYC & AML while keeping the regulator happy

Criminals have been quick to capitalise on the dramatically changed environment COVID-19 has created. They’ve found new ways of generating illicit funds, and new ways of laundering them. In turn, the compliance community has had to respond quickly to a fast evolving risk landscape whilst maintaining the regulator’s confidence.

For compliance practitioners, the challenge is even greater given the operational challenges such as ubiquitous remote working, potentially unstable infrastructure, intermittent broadband connectivity, and the very real possibility of limited resource.

However, whilst there are considerable challenges, there is also opportunity. The pandemic has laid bare some of the KYC and AML policies, procedures and controls, which are no longer viable in an online world. The current environment has forced organisations to adapt and in many cases, this has been the catalyst for them to modernise, digitalise and optimise the way they manage their financial crime compliance obligations.

Oleksiy Feshchenko, who spent 11 years with the Ukraine Financial Intelligence Unit (FIU) and is now AML Adviser on the UNODC’s Global Project Against Money Laundering, highlights a spike in cybercrime. Unusually high levels of online consumer activity create rich pickings for criminals, who are exploiting not only the increase in customers, but also their health concerns, for example offering fake, sub-standard or non-existent hand sanitiser and PPE, and embedding malware in popular online searches for news and updates on COVID-19.

Yet the pandemic isn’t without its challenges for criminals. Restrictions on movement disrupt illicit supply chains, with drug dealers unable to meet their customers. Criminals are having to find new ways to distribute their drugs and launder their criminal proceeds, for instance by acquiring food delivery businesses, so that they can continue to operate under the radar.

Oleksiy also notes how governments’ attempts to control the spread of the virus, through restricting the movement of people and closing down borders, is also impeding the flow of cash, particularly for international organised crime networks. Criminals still need to settle their accounts though and they have a few options: sit on the money until restrictions ease; deposit the money into bank accounts; or make online transfers. The use of unregulated, over the counter crypto-exchanges, where fiat currencies are converted into cryptocurrencies, is one such route.

As Katarina Cook, Head of Financial Crime at leading wealth management firm, Brewin Dolphin notes, the immediate impact of COVID-19 for Brewin Dolphin has been heightened risks in certain areas, such as clone fraud. Market volatility is also creating challenges, driving up the volume of market abuse alerts.

The shifting risk landscape is not purely driven by the criminal response to COVID-19. As Nick Barratt, Senior Manager in PwC’s financial crime business unit, points out, as countries went into lockdown, large banks with offshore customer service functions suddenly lost their offshore resource, with locked down staff unable to attend and operate call centres. Consequently, second line financial crime compliance staff (normally managing 2nd line checks and fraud analytics), have been deployed into frontline customer service roles, leaving a gap in fraud prevention.

In addition, for those businesses that rely on face-to-face contact, the sudden relocation to remote working means that some critical processes need re-evaluating. For instance, identity checks can no longer be conducted in-person, but instead need to be conducted online, and businesses need to be confident that their processes remain adequate to satisfy their risk-based approach. Although this is challenging for many businesses, nevertheless it is driving some positive outcomes. Organisations have the chance to update processes and procedures to enhance efficiency through the application of electronic identity verification and other digital tools. For many, the necessity to change is effectively accelerating digital transformation.

What impact is COVID-19 having on organisations’ risk-based approach?

It certainly makes sense for firms to refresh their risk assessments, in light of the pandemic, but Katarina Cook cautions against making substantive changes to systems and processes too quickly, without taking time to consider the longer term impact. Whilst she recognises the need for interim, short term responses as initial risks arise, nevertheless she warns that more dramatic changes, such as the implementation of new systems and controls, should be carried out in a more measured fashion, as it will take time to evaluate the risks effectively and design the right solution for the organisation’s needs. She also advises that when making interim adjustments, firms should make sure they keep an audit trail to justify and evidence their decisions in the event of an investigation. She recognises that meeting immediate needs, whilst keeping one eye on the horizon, is a real challenge when under pressure.

Does the current climate justify more flexibility in the AML system?

Regulators and supervisory bodies are issuing guidance to support businesses at this time and are showing some leniency in terms of reporting deadlines and turnaround times for evidence required in response to investigations. However there is no change to the regulatory requirements, which remain the same.

Some organisations are struggling to understand what is acceptable and in some cases a lack of flexibility in the documentation that businesses will accept is causing real challenges. For example, large banks and insurers are refusing to accept electronic death certificates. But with coroners working from home, there is currently no other viable option.

For Katarina Cook, this is too rigid an approach. When an electronic death certificate is the only means of verification available, firms need to consider alternative means to verify them, for example by adding an extra layer of controls, such as asking a professional person to validate the information.

And in an environment that prohibits physical meetings, the question of whether organisations should allow self-certification of documents was raised. Steve Elliot, who leads the UK and Ireland Business Services division of LexisNexis® Risk Solutions, warns against this, as it is all too easy for fraudsters to obtain very convincing counterfeit documents, for instance on the dark web. He recommends instead that organisations take advantage of digital solutions that exist on the market, to help them authenticate whether documents are genuine, and to confirm that they relate to a given individual. Such technology can provide practitioners with a far greater degree of confidence, as they leverage technology and big data to create much more reliable controls, and also help to build the regulator’s confidence.

Nick Barratt adds that self-certification may be sufficient in certain circumstances, when it relates to low risk individuals behaving in a way that would be considered normal for a trusted customer in a given situation. For Nick, this determination relies on an organisation’s risk-based approach, and their ability to recognise what normal looks like, for a person of that type, in that scenario. Anything outside of what is considered normal behaviour could arouse suspicion, at which point self-certification would no longer be appropriate.

As we look to the future, how do firms need to adjust their controls?

Oleksiy Feshchenko believes there will come a point at which governments and companies will no longer look to meet their AML and CTF obligations in-house, but will instead turn to external providers and data analytics experts for support. He views the application of blockchain technology as inevitable in the evolution of customer due diligence, as it allows the effective sharing of data between many parties, with an indelible audit trail. The question is, when will the financial crime compliance community, and of course the regulator, be ready to adopt it? Oleksiy believes the sooner firms get used to the idea and have their staff upskilled, the better.

You have to look beyond an individual entity to the full ecosystem, in order to identify risk

Steve Elliot anticipates an evolution in the way that organisations evaluate risk in relation to Politically Exposed Persons (PEPs), sanctioned entities and Ultimate Beneficial Owners (UBOs). Many practitioners still rely solely on screening against lists, which is extremely inefficient and is not likely to result in much insight given that criminals will have tried to cover their tracks. It’s also very unlikely that any regulator would consider this approach acceptable. Steve points out that to evaluate risk effectively, it’s necessary to look beyond the individual entity and instead to consider their wider associations, as part of the ecosystem they exist in.

How to identify these ecosystems?

Again, this relies on big data and technology to provide the context and insight on which intelligent, risk-based decisions can be made. Artificial Intelligence (AI) will have a big role to play here – it can be quicker than conventional analysis methods and is certainly powerful, but, as Oleksiy Feshchenko points out, it’s not a magic solution. As with any big data analysis method, it is limited by a number of factors, including the input data.

Ultimately, the extent to which AI can be relied upon is dictated by the level of confidence the organisation has in the system, and whether it is explainable. As Steve Elliot points out, the Information Commissioner expects AI to be transparent, with no bias. There will always be a threshold where the reliance on machine outputs is replaced by human intelligence to ensure the best outcome.

But will the regulator be happy?

Oleksiy Feshchenko believes that in the current climate regulators will be more in favour of firms trying new tools. Crime is changing and business is moving increasingly online, so it creates an opportunity for organisations to adapt and consider how their systems and controls could be enhanced through more automation and digital solutions.

For Katarina Cook, firms shouldn’t be afraid to speak openly with the regulator. They should raise risks and concerns, and discuss solutions. The Senior Management Function is still responsible for controls and ensuring they are working, but the regulator is sympathetic to the challenges and is providing guidance. After all, this is new to all of us and no-one is going to solve it overnight.