The anti-money laundering paradigm shift
Today, the banking sector’s annual spend on anti-money laundering (AML) compliance is in the hundreds of billions of euros, a large proportion of which goes on personnel. Spending large amounts on compliance is reasonable, considering the regulatory landscape is changing dramatically. But is it money well spent?
Regulators’ urge to scrutinise the financial sector’s fight against financial crime has developed a great deal in a short time. Rules are now stricter, and there are higher levels of accountability, which is forcing larger financial institutions to review their operations.
But the first instinct to throw people at the problem to make it go away seems to have failed. Hiring armies of people to tackle AML has created larger backlogs, more problems and less efficiency. What was supposed to comfort boards and CEOs is instead causing headaches and sleepless nights. In many larger institutions, this strategy has created an organisational challenge with a limitless cost appetite.
The strategy of chasing every customer is outdated. Small teams equipped with technology that can pinpoint the professional money launderers who hide in the crowd are much more efficient. So, more and more institutions are now switching from trying to tackle AML with vast teams of people to investing in more advanced technology. A shift in the AML paradigm is emerging.
Supervisors are also making a similar shift. They’re less accepting that a high spend on AML operations is a sign of good AML. Increasingly, they’re looking for smaller, specialised teams with the technical tools and risk-based approach that deliver more effective operations.
And they’ve moved from examining technical compliance to looking at the bigger picture – do firms understand their risks, how are they mitigating them and what’s the output? When single institutions are serving millions of customers, supervisors are looking for a well-planned risk-based approach. You can no longer get away with approaching all your high-risk customers in the same way by hoarding Know Your Customer (KYC) data and handling a hail of false positives. A customer who operates in a high-risk area needs frequent monitoring, but a customer with a difficult-to understand ownership structure needs a well worked through KYC file. Both are high-risk customers, but the risks need different mitigations.
Supervisors have become more pragmatic. They no longer believe a bank can have updated customer knowledge about everything on everyone everywhere, irrespective of risk. Most have matured their understanding of the complex environment and the challenges AML staff struggle with. So, they’ve come to understand where to set a high bar and where to set a lower one.
This evolution has been crucial as AML must coexist with flexible services, fast transactions and cross-border trade in a financial market that’s growing by the minute.
From foxes to wolfpack
Regulators have also coordinated themselves. For example in 2019, a Nordic-Baltic AML forum started to coordinate and synchronise the countries’ supervision. This provides an opportunity to have a strategy for managing the region’s larger institutions, which operate in more than one jurisdiction. In a short time, these supervisory authorities have gone from lone foxes chasing mice, to wolfpacks hunting for bison. Institutions are no longer out of reach just because they’re big and strong.
We saw this when the supervisory wolfpack singled out Danske Bank when it fell behind the herd in the migration towards better AML. The Estonian FSA pushed the bank to do better in 2017 but when the response didn’t meet expectations, the rest of the wolfpack encircled them. In the coming years, the Norwegian, Danish, Swedish and Finnish regulators all scrutinised Danske Bank. For half a decade, the regulators have hammered the bank with intense investigations. And the only way out seems to be total submission by showing it’s creating the best AML system. There are signs of the regulators starting to let go of Danske Bank. But that opens the question, who’s next?
Making the parent accountable
Another example of a coordinated approach by Nordic-Baltic supervisors was when leaked information showed that Swedbank had misled supervisors about lax AML work in their Baltic subsidiaries.
Legal limitations in the Baltics made it impossible for national supervisors to levy harsh fines. But Swedish supervisors teamed up with their Baltic peers and started parallel and intertwined investigations into the shortcomings of the Baltic operations. Together, they punished Swedbank, saying the parent bank in Sweden was also to blame since it hadn’t had its group operations in order. The subsequent record-breaking 4 billion SEK fines showed that, even in the financial sector, you can’t avoid responsibility for your children’s actions just because you had your back turned.
Wolfpack tactics and coordinated inspections are something we can expect to emerge in the rest of Europe as well. A single rulebook is likely to replace the directives that highlight relatively large differences between EU member states, which would ensure all supervisors know the responsibilities of all financial institutions, wherever in Europe they are.
Already, a new type of AML college for joint supervision of large cross-border institutions is being set up across the Union. And the European Banking Authority has established a new database, name EuReCa, to collect intelligence about AML weaknesses in banks all over the region. These are key components when planning and executing coordinated efforts. Today, global institutions are difficult for small supervisors to manage with their own rules and fees. But such organisations would be no match for a group of coordinated supervisors.
AML and technology
When looking at the challenges and expectations that lay ahead, the future of AML is bound to be in technology. The human brain can understand risk and collect customer knowledge, but when there are millions of customers and they all look the same to the untrained eye, the old systems and human limitations become obvious.
An efficient and smooth link between the risks, customer knowledge and customer behaviour is only possible when technology brings it all together. For a large institution, today’s requirements for monitoring customers mean they need technology that can distinguish between high- and low-risk customers, as well as between unusual and suspicious transactions. They also need systems that can scale up to manage millions of old and new, transitioned and dormant customers, and understand their individual risks.
In the short-term, such institutions will need to align AML operations to these requirements. In the long-term, they’ll need to leverage machine learning and artificial intelligence to automate as much as possible.
Today’s technology won’t solve all problems. So, to invest in AML should also be to invest in research and development. Pharmaceutical companies, for example, invest over 25 per cent of revenues in research and development. Financial institutions should think about how much they spend on meeting tomorrow’s demands.
At the same time, supervisors should think about what signal to send to institutions that try finding new solutions rather than focus on old, safe but inefficient ones. It will be important to favour institutions that take responsibility to move things forward in the fight against financial crime.
The future of AML
Banks have made strong efforts in AML so far. But smart investments in skilled people equipped with innovative technology should be on the agenda of every board and CEO.
However, financial institutions aren’t alone in the fight against financial crime. Supervisors need to keep evolving their strategy and understanding of the challenges institutions face, and focus on outcomes rather than tick-box compliance.
The future is in technology and in-depth skill, which will take courage and perseverance to achieve. The ones that dare will be the ones to win in the fight against financial crime.