In the last two decades, anti-money laundering (AML) regulatory framework, processes and mechanisms have not changed much. As a result, fraudsters are capitalising on firms’ inadequacies to spot and deal with money laundering.
Alexandre Pinot, co-founder and head of innovation and strategy at Vilnius, Lithuania, headquartered AMLYZE, the AML/CFT compliance firm explains where the gaps in the current AML system are.
Is the global anti-money laundering (AML) system broken?
Imagine if the businesses you work with and rely on still protected their IT systems according to the same threats and technologies that existed in 2001. That’s six years before the first iPhone. Eight years before the invention of Bitcoin. Eighteen years before the first public 5G deployment. Twenty-two years before ChatGPT.
You probably wouldn’t feel very secure knowing that you were exposed to any number of new risks that have emerged in the meantime.
From where I sit, in the fintech innovation hub of Vilnius, Lithuania, that’s exactly the situation I see today in the world of anti-money laundering (AML). We are working towards tech-driven AML solutions but are constrained by a regulatory environment that is nearly a quarter century out of date.
Relevant laws have existed for about 50 years and the Financial Action Task Force (FATF) was established in 1989 by the G7 nations as a global money laundering and terrorist financing watchdog. But the actual AML regulatory framework, and the processes and mechanisms as we know them today, largely date from the USA PATRIOT Act of 2001, which itself is the direct result of the 9/11 terrorist attacks in that year.
Frankly, not enough has changed since then, at a time when payment systems have never been so interconnected, money flows have never been at such a high volume, the speed of cross-border payments has never been so fast, and the risks to society from organised crime and terrorism have never been so high.
What’s the problem?
The UN estimates that money laundering globally accounts for two to five per cent of global GDP, or $800billion to $2trillion. If the problem is immense, on the face of it, AML regulatory requirements and laws seem sensible enough. They may differ, from country to country, but the main principles tend to be very similar.
Identify your customers (otherwise known as KYC – know your customer) and assess the risk they present in terms of money laundering and/or terrorist financing.
Monitor your customers’ transactions and assess whether they match their KYC profile and initial risk assessment level at onboarding.
If that is not the case, and you observe unusual and/or suspicious activity, submit a report (via a suspicious activity or transaction report – SAR or STR) to your local financial intelligence unit (FIU) for investigation, if necessary, escalate matters to the relevant law enforcement authorities.
The big challenge in this framework is that there is no clear definition of what ‘suspicious’ looks like and therefore what needs to be reported. What seems suspicious to bank A in country X might appear perfectly legit for fintech B in country Y. What’s needed are very clear and objective typologies to define what is suspicious and what isn’t.
Defining ‘suspicious’
It’s not like people are not trying. Since the USA PATRIOT Act, global efforts to combat money laundering are no longer confined to national borders. The EU’s decision to establish a dedicated Anti-Money Laundering Authority (AMLA) is a step in the right direction. While the AMLA will be located in Frankfurt, it’s worth noting that Vilnius put forward a strong case to host the authority, underscoring its commitment to being a leader not only in fintechs but also in the fight against financial crime.
Other initiatives, besides the AMLA and FATF, include the Egmont Group, a global network of FIUs that produces typology reports to help governments and stakeholders better comprehend existing and emerging threats.
And yet we know that things are not currently working well enough.
Things don’t add up
Part of the problem is the time lag between FIUs or the FATF identifying an issue, agreeing an approach across members, and publicising it via typologies. Timelines are drastically disconnected from the reality of modern financial crime, with the result that outdated guidelines are almost baked into the system.
This can offer a huge window of opportunity for money launderers, who, to be completely honest, don’t need to be that sophisticated to take advantage. As an example, the FATF revised its standards to address the risks associated with virtual assets in June 2019, or more than 10 years after the launch of Bitcoin (January 2009) – hardly a digital-speed response.
Slow and inadequate responses by regulators can also make doing business highly problematic. Transit accounts, for example, are among the typologies identified as suspicious by the FATF. But many neobanks have developed business models based on transit accounts in recent years.
Do they really have to report every transaction?
One consequence is that banks, fintechs (and any other subject entities) end up submitting a lot of SARs for transactions and/or customers they know probably do not really pose problems. It’s known in the industry as ‘defensive reporting’. And you can see why, in an environment where failing to meet regulatory standards is an expensive and possibly terminal error.
Even basic mathematics tells us that things do not add up. The number of SARs sent to FIUs every year has simply not kept up with the rapid increase in the volume of assets being frozen or confiscated.
The UK Financial Intelligence Unit (UKFIU), for example, which is responsible for processing SARs, received and processed 573,085 SARs in 2019/20, marking a 20 per cent increase compared to the previous period.
In the US in 2022, financial institutions submitted more than 3.6 million SARs to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). This was an 18 per cent increase over 2021, which in turn had seen an increase of 22.5 per cent increase over 2020. And latest data shows this trend has continued into 2023 in most jurisdictions across the globe.
At the same time, the data show that the amount of assets seized or confiscated, which is a relatively good indicator of the success of anti-financial crime investigations, has remained stable or increased slightly, but is far from correlating with the increase in the number of SARs.
Data challenges
AML technology has, of course, improved substantially since 2001 and, having worked in AML/CFT for almost 15 years, I see some positive changes in the market. Automated transaction monitoring, machine learning, and big data analytics, for example, are all enhancing detection capabilities.
But there are roadblocks. First, the globally-used typologies are often context-specific, heterogeneous, and subjective. While they provide valuable insights for human analysts, translating them into structured data suitable for machine learning (ML) models is complex.
Data protection and privacy (DPP) trends (which are perfectly legitimate and important) present another challenge. Everybody involved in AML agrees that sharing information about known bad actors would have a dramatic impact. But current trends towards strengthening data protection create barriers and limitations.
Precisely where the use of technology presents immense opportunities
Indeed, synthetic data, which is information that is artificially generated rather than produced by real-world events, is a possible response to these challenges. The idea is to keep only the data necessary for risk identification. Names and addresses get scrubbed out. There’s no need to even reveal the country of the user – just the risk profile of that country. Likewise the exact amount of the transaction is not needed – just the risk it represents. By generating data that mimics real-world patterns without compromising privacy, organizations can share insights without revealing sensitive information.
The time has come to rethink the outdated “follow-the-money” approach that has worked in the anti-financial crime industry for dozens of years but which is now reaching its limits. And developments like synthetic data, privacy enhancing technologies (PETs), machine learning and AI can be the keys to implementing a new, more proactive model. By analyzing gigabytes of past suspicious transactions with advanced technological tools it is now possible to anticipate and identify where, when and how future criminal activity may occur. And that puts us in a good position to build a better firewall to prevent it.
As we look to the future of AML, it’s clear that we need innovation, collaboration, agility and proactivity (rather than reactivity). Cities like Vilnius, with its thriving Fintech scene and commitment to combating financial crime, are well-placed to lead the way. AML may be broken today, but technological innovation and human ingenuity exist to solve that challenge.
