image
image

InsideNOW

Technology and data to enhance AML/CTF and fraud risk management

The multitude of regulatory requirements has led financial industry players and corporations to search for efficient solutions to comply with all applicable rules. In only a few years, the AML/KYC/fraud detection landscape has exploded with a multitude of players (established vendors, FinTech and RegTech, the Big Four, etc.) and solutions.

Authors

Authors

Maxime Heckel - Partner - Forensic & Financial Crime - Deloitte

Julien Weber - Senior Manager - Forensic & Financial Crime - Deloitte

Published on 3 December 2020

Share this article

image

Even today, financial industry players’ compliance processes are still highly manual and repetitive and do not always benefit from the latest technological innovations. To quickly comply with the latest incoming regulatory requirements, new tools are usually integrated by adding new layers to the existing technology stack. However, with today’s know your customer (KYC) challenges, technology and external data are no longer a nice-to-have.

In this article, we have selected some KYC and fraud-detection solutions that are currently actionable for a reasonable investment and running cost, to help financial institutions think and act differently regarding their anti-money laundering (AML)/combating the financing of terrorism (CTF) solution framework.

END-TO-END KYC SOLUTIONS

Despite several attempts at digitalization, financial institutions’ KYC operations are not yet state of the art. Financial institutions have been hit by several waves of innovation and transformation that tend to add new layers of tools and complexity. Integrating heterogeneous tools and solutions is challenging and costly, and the desired results are lacking; there are weak audit trails, a lack of collaboration, no clear workflows, and blurry engagement and accountability by stakeholders.

Operators are forced to use emails or even paper extensively, making traceability difficult and ultimately resulting in redundant activities and inefficiency. Moreover, with information and data spread over different systems, it is difficult to keep a single source of truth and avoid

duplicates or inconsistencies in KYC data, documents and key performance indicators (KPIs).

One clear market trend to plug this gap is all-in-one, end-to-end KYC solutions. These cover both the initial and ongoing counterparty due diligence and include the collection and maintenance of static data, corporate data and KYC documents, watchlist and adverse media screening, risk scoring, dynamic KYC document checklists, monitoring of changes of circumstances, periodic review, and audit trail and reporting.

Often, these solutions also cover the required workflows and business rules that result in seamless KYC operations. They reduce the exchange of emails and information leakage, significantly decreasing the lead time for onboarding or periodic review.

Some of these all-in-one solutions will come with additional features such as built-in external data feeds (e.g. watchlists, adverse media, corporate/trade register/beneficial owner data, etc.), automated KYC documents processing or even ready to use application programming interfaces (APIs) to connect with existing systems (e.g. CRM, banking system, ledger, fund management platform, ERP, etc.).

Last but not least, as compliance rules are regulation (and business) driven, they can evolve over time. A centralized KYC solution in this context will allow financial institutions to maintain the entire risk-based approach configuration in one place, making updates easier.

KYC UTILITY AND OUTSOURCING

Between the ever-increasing regulatory requirements and the cost of compliance, building and maintaining good-quality KYC files on counterparties remains a massive challenge. This is not only the case for most financial institutions but also for newly obliged entities (e.g., corporates, art or real-estate market actors, etc.), compelling them to think and act differently. Usually, maintaining all KYC operations internally leads to inefficiencies and high ownership costs that are often underestimated. Therefore, we are seeing the emergence of innovative and centralized KYC service offerings.

Traditional KYC processing

There are two main models available

KYC utility

This is a central repository that allows the collection, storage and verification of required KYC-related data and documents to comply with regulatory requirements. Clear advantages include a standardized and de-duplicated approach, increased quality of data and documents, a single point of truth regarding KYC files, a reduction of cost and an increase of counterparties experience (who are now providing the same data/documents several times). Despite KYC utilities experiencing a difficult start in the market, mostly due to misaligned objectives or lack of actors’ consensus for a risk-based-approach baseline, we see some up and running today. Most of these centralized services are government-led and include KYC features for the high-volume/low-complexity market (e.g., retail banking, public services, etc.).

KYC outsourcing

From all-in-one cloud KYC solutions to fully outsourced KYC activities, the range of KYC outsourcing services on the market has mushroomed. Compared to pure KYC utilities, these solutions benefit less from the cross-institution factorization effect, but allow institutions to operate their own AML/CTF risk-based approach. This is a mandatory prerequisite for some specialized markets (e.g., wealth/asset management, art and high-end real-estate markets, etc.). This kind of KYC services also offers tailor-made features and provides more flexibility to manage data/document confidentiality (e.g., in-house hosting and/or operations, operations from a regulated entity, etc.).

Even though a range of KYC utilities and managed services are now available, financial institutions should still pay attention to the following when using these services:

Review and update their policies and procedures to reflect any potential change in their underlying risk-based approach, operations or controls;

Ensure they set up the right level of oversight of the service provider, and keep in mind that they are still ultimately responsible under the AML/CTF law, as this responsibility cannot be outsourced; and

Compute and monitor the related unit-cost of service, e.g., the all-inclusive operational cost per KYC file for onboarding or maintenance.

WATCHLIST SCREENING

Today, watchlist screening is a well-established topic for financial institutions. While fuzzy matching techniques have been used for the past 15–20 years, the underlying technology has barely evolved since then. Counterparty database screening and transaction filtering processes are still resulting in a high number of false positives, generating a huge operational impact. Market players have only recently begun transitioning to gen-2 solutions, with innovative name-screening platforms that usually combine two dimensions:

While the finance industry is not yet ready to dispose of the usual name-matching techniques, we are already seeing some interesting supplementary propositions. A good example is using voice recognition to match a person (to a voice sample) or to detect potential fraud based on advanced voice patterns, which could be used in call centers for example. Another biometric and promising use case is face detection, which uses advanced image processing to identify high-risk individuals (e.g., that are on a sanction list), even if they are using a fake identity. While limitations still apply to these technologies today, they are rapidly improving.

TRANSACTION MONITORING

Similar to watchlist screening, transaction monitoring (i.e., the detection of money laundering, terrorism financing or fraud behavior) still relies on processing methods in use for more than a decade. While big names are offering appealing predictive and neuronal network detection features, in practice only a few financial institutions are using them due to their licensing costs and complicated implementation and maintenance. Consequently, many institutions are still using scenario-based detection processes that run overnight, often resulting in a mind-blowing volume of false-positive alerts.

Innovative solutions are now offering a more data-driven approach, computing not only accounts and transactions but a large set of business data (including non-financial events) in analytics engines to deliver actionable insights, i.e., conspicuous data items with much less noise than a

classic rule-based detection. These systems use AI and machine learning at different stages of the monitoring chain to decrease the false positive rate and, consequently, the compliance operational cost.

Another advantage of these solutions is that they identify new suspicious cases faster without having to wait for a specific scenario to be implemented. Coupled with intelligent robotic process automation, the resulting alerts can be more efficiently distributed amongst the review teams (e.g., front office, a centralized KYC team, or compliance) and even be enriched to provide an enhanced investigation experience. These new features are either part of latest releases when using big name solutions, or they are provided by FinTech/RegTech companies and are to be used in post-processing of usual rule-based software.

Last but not least, we are also seeing the emergence of centralized transaction monitoring initiatives, which aim to:

Centralize and optimize the use of detection capabilities, i.e., hardware, software and investigation resources;

Improve the detection of money laundering and terrorism financing (ML/TF); and

Reduce the cost of ownership for each participating institution

If we focus on banks as an example, currently each institution is limited to its own silo of transactions. This makes transaction monitoring more difficult, especially to detect suspicious activities that often occur across multiple institutions. These initiatives aim to combine these efforts, not only by sharing files and information but also by using advanced analytics over multi-bank data, allowing the detection of unusual patterns that an individual bank could not achieve alone. In the case of suspicious activity, all institutions involved in the underlying transaction(s) are notified and handle the resulting alert(s) independently and privately.

Simply speaking, this is the application of KYC utility to transaction monitoring. One recent example is the “TMNL” initiative in the Netherlands, where five banks are collaborating to jointly monitor transactions.

Conclusion

In response to ever-increasing regulatory pressure, regulated firms and newly obliged entities alike have fine-tuned their existing systems, implemented new solutions and deeply adapted their operations. This has resulted in a huge increase in the cost of compliance and, as a result, in terms of overhead. Which, in turn, has led to the emergence of new all-in-one solutions that tackle these pain points.

Technological innovation has accelerated in the past few years, leading to a wider and more mature market offering. The rate of innovation will certainly speed up in the coming years, and several recent surveys have demonstrated that regulated entities would like regulators and governmental bodies to incentivize new technologies, or at least play a bigger role in market discussions around innovation.

Share #DeloitteInsideNOW

image
image

Forensic

Deloitte Forensic helps clients react quickly and confidently in a crisis, investigation or dispute. We use our global network, deep industry experience and advanced analytical technology to understand and resolve issues.

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at www.deloitte.com/lu/privacy.