We've covered the topic of Financial Crime Compliance many times in our articles and LinkedIn videos but most have been on the topic of sanctions screening and customer identity. Today's article will shed some light on the transaction monitoring side of things and what to look out for if you're just starting out.
It's important to remember that the financial system is not just 'banks' anymore. There are at least a dozen types of financial institutions and license holders including Neobanks, Payment Service Providers, Card Issuers, Crypto-exchanges, eWallets, Money Service Businesses (think Currency Conversion & Remittance), and Credit companies all offering a variation of a service meant to store or move money. The common denominator between these businesses and every known form of illegal activity is money. Granted there are ways to barter illegal goods like exchanging illegal drugs for raw diamonds but it's important to remember that it's only one leg of the journey in a financial crime.
Being squarely at the center of the movement of money, a key responsibility, and indeed a regulatory requirement, of every financial institution is to prevent financial crime. The important word here is 'prevent' rather than 'eliminate' as it indicates the standard expected is making a concerted effort or putting adequate effort towards the task. How much effort and resources should be a topic of conversation between the regulator and its licensee, but a good place to start is ensuring to benchmark against peer organizations in the same industry.
No financial institution is going to be able to stop all financial crimes from ever happening. To expect this of them would come at a cost to processing speed and convenience that would drive the economy back to the stone age. Instead, regulators and industry leaders have settled on a best-effort basis.
Making some safe assumptions
Even in the fight against evil, nobody is going to put up with playing 20-questions with their bank just to buy a can of Coke at a 7-eleven. In an everyday transaction, the seller and the buyer have payment methods that may or may not be issued by the same company.
Closed-loop is where the buyer and seller share a payment service provider. This could be a QR payment system, a financial app, or even a credit/debit card provided the seller's card terminal was issued by the same bank. In this situation, some safe assumptions include that the bank knows who the customer is on both the buyer and seller side, oftentimes having already passed appropriately stringent due diligence assessments just to have their accounts open. The payments company or bank can also safely assume why the transaction was made given their knowledge of the background, age, and income level of the parties involved while also making safe assumptions about what was being purchased as they have a relationship with the store selling it. Now the only things that the payment company would be looking for are odd sums or frequency of transactions or if the accounts of either the buyer or seller have fallen into the hands of a third party - a somewhat more simplistic task when everything is handled by the same company.
Open-loop is where the buyer and seller both have different payment companies. This happens very often in retail situations that use credit cards or bank transfers. In this situation, everyone involved has to change their assumptions. Firstly, without knowing who owns the card used to buy the can of Coke (or indeed that it was a canned beverage being purchased in the first place), the seller's bank would have to assume what amount would be considered ‘normal spending’ for a statistically random person entering a convenience store, like say 12 dollars. They would also have to assume how often that same card would show up at the store without it being considered strange, an example would be four times a week if it was within proximity of a block of offices. These assumptions would remain general until such a time they could be evaluated, clustered, and further refined. The buyer's bank on the other hand would have to assume the same about how often each cardholder visited each type of store and how much they spent each time before thinking their behavior was odd and that they should open an investigation. Open-loop systems require that financial institutions trust any data sent over by a counterparty but not make any assumptions beyond that about the effectiveness of their counterparty's processes - not even assuming that the sender's identity is known.
When dealing with transaction monitoring, an institution should be looking for things that are suspected of being a financial crime and then only digging in deep, asking more questions, and documenting outcomes and decisions. Having strong statistically relevant assumptions of what constitutes 'normal' behavior is critical to avoid requiring a review for every single transaction.
Asking the right questions
What questions, may you ask? It all revolves around the simple key concept of knowing the purpose of a transaction. Transaction monitoring is a discipline of anomaly detection, but it doesn't stop there. The next steps involve understanding the anomaly and then deciding if it needs any further action. A common thread of logic follows tracking the journey of the money - was the money from an inheritance, legitimate business proceeds, or a salary? Can you trace its geographical origins? What is the payment for? Is the customer making the payment on behalf of someone else? If so, Who?
However, a word of caution - Financial institutions should avoid asking more questions than absolutely necessary to prove that the transaction was not criminal. This is because fincrime reviews are often perceived as intrusive incentivizing customers to lie or withhold information just for the sake of convenience - this distorts the review and then makes a genuine irate customer's behavior indistinguishable from that of a criminal's. Remember that 'the irate customer' is an often-used trope in social engineering, so it's best to design a process that avoids annoying your customers in the first place. It's not just good business, it's good fincrime practice.
Dotting the i's, crossing the t's…while making it snappy
Compliance is a game of fastidious documentation. Whoever has the most complete information, wins! Everything should be recorded - timestamps, chronology, admin IDs, customer information, reason codes, and where possible even the rationale behind why a decision was made. Notice how nobody ever said anything about the decision-maker needing to be a person? Using automated logic or artificial intelligence is completely acceptable and oftentimes encouraged as long as the implementation, testing, and refinement of these systems are equally well documented.
Criminals are opportunistic, don't give them an easy way in
If you consistently leave the upstairs window wide open, you're going to find a burglar coming through it one day, and then they're going to tell their friends. The institution with the most visible vulnerabilities or least meticulous processes will swiftly become the favorite among criminals. Wanting to keep things as smooth and as anonymous as possible means that once a financial institution is known to have a flaw, it will often face a barrage of the same type of attack soon thereafter. It's important to not just project the image of security, but also to be well known for fixing vulnerabilities fast.
We close off this article by returning to the analogy of home burglary used earlier - When designing the right amount of security you don't want a system that makes your house so impenetrable even your invited barbeque guests can't get past the front gate, but you also don't want one so weak that you look like the easiest house in the neighborhood to break into. As usual with these subjective topics, balance is key.
コメント