Rather than being an impediment, anti-money laundering regulation and compliance are an opportunity for business growth with the help of regtech.
The technological advances that enable funds to be moved effortlessly and rapidly anywhere in the world, benefiting both businesses and individuals, have also been exploited by criminals, who continue to find new ways to launder their ill-gotten gains. Money laundering is big business, with Deloitte putting the figure at somewhere between $800 billion and US$2 trillion annually – a staggering 2-5% of global GDP.
To tackle this growing challenge, jurisdictions around the world are putting greater emphasis on anti-money laundering (AML) regulations and guidelines. These continue to evolve and expand, just like the external threats they were designed to alleviate. Navigating this shifting landscape requires constant readjustment. For banks, however, implementing any change is a costly, complex and protracted process.
Cost, complexity and consequences
Compliance with new mandates, such as the Anti-Money Laundering Act of 2020 (AMLA) in the US, and amendments to existing regulations, has increased this complexity and is a major driver of expenditure, with billions of dollars spent annually. It also requires the implementation of robust policies, procedures and a range of other internal controls, yet bank compliance teams are under intense pressure to monitor a higher volume of activity faster, more accurately and with fewer resources at their disposal.
Ineffective AML controls can have disastrous consequences, as Danske Bank’s failure to adequately screen €200 billion ($235 billion) in non-resident cash that flowed through an Estonian unit, highlights. As a result of its central role in one of Europe’s largest-ever money laundering scandals, the bank continues to suffer reputational damage and falling customer numbers.
Creating new opportunities
Banks understand that non-compliance with AML regulation is not an option but building a solution in-house can be a costly, lengthy and risky undertaking. Even if successfully delivered, long-term success is not guaranteed. A system that ends up as an assortment of poorly integrated point solutions will fail to provide the necessary transparency for a cohesive view of the bank’s AML risk. With a growing need for solutions that provide greater agility, improve controls, increase efficiency and reduce costs, banks are increasingly turning to regulatory technology (regtech) to meet their requirements.
Using intelligent data, regtech can provide a complete, cohesive view of a business and its customers. Not only does this make it easier for banks to comply, but it also enables new opportunities to be identified, taking regulatory compliance from being a burden to a gateway to business growth. Celent, a global research and advisory firm, recently identified several areas that are ripe with potential, including regulatory reporting (to FinCEN and FINTRAC, for example), AML/Know Your Customer (KYC), risk analytics, and fraud. If each of these compliance tasks is performed by a different person on a different platform, it becomes virtually impossible to know what is going with a customer across all of these platforms. Using a single platform to manage these areas, however, not only simplifies operational processes but also augments the bank’s risk intelligence.
Rather than building in-house, many banks are now opting to collaborate with trusted regtech providers to implement innovative approaches to AML compliance. Regulators support this approach, recognizing the value of this collaboration both to the banks and the wider financial system, which is further strengthened against illicit activity.
Regtech for KYC
One area where regtech is being leveraged for KYC is in identity verification. Digital identities, along with verification technologies, are poised to enable faster and more accurate customer validation and verification for streamlined KYC processes. They will also speed up customer onboarding.
In its Guidance on Digital Identity, the Financial Action Task Force describes two essential components in the digital identity process: 1) Identity proofing and enrolment; and 2) authentication or validation.
Identity proofing and enrolment involves obtaining attributes and collecting attribute evidence; and resolving identity evidence and attributes to a single unique identity. Attribute evidence may be physical (e.g. a plastic driver’s license) or digital, with digital representations of physical evidence that can be stored in electronic databases now widespread. Digitally stored identity evidence has the advantage of being able to be obtained remotely, and for information to be remotely verified and validated against digital databases.
An identity service provider (IDSP) needs to be able to establish if the person claiming an identity is the same person who was identity-proofed and enrolled. To determine if the identity evidence is genuine (not counterfeit, forged, or stolen) and accurate, it must be authenticated or validated by checking that it matches trusted, authoritative, independent source records.
Authentication factors fall into three broad categories: knowledge, ownership, and inherence. Knowledge factors include usernames, passwords, and responses to pre-selected security questions. Ownership factors comprise areas such as cryptographic keys, security tokens, and one-time passcode (OTP) generators. Inherence factors cover biophysical biometrics, such as facial recognition, fingerprint or retinal pattern biometrics, and advanced behavioral biometrics.
For example, the IDSP could check a physical driver’s license or digital image of it and determine that it hasn’t been altered in any way, follows standard identification number formats and that any physical or digital security features are valid and have not been tampered with. The IDSP will also confirm if the information matches the government issuing sources for the identity document.
To confirm that a validated identity relates to the individual being identity-proofed, it needs to be verified. The IDSP could ask the applicant to take and send a mobile phone video or photo with other ‘liveness’ checks. The photo submitted by the applicant will be checked against the identity evidence held on file. The IDSP could then send an enrolment code to the applicant’s validated phone number that is linked to the identity; require the applicant to provide the enrolment code to the IDSP; and confirm the submitted enrolment code matches the code sent by the IDSP. This verifies that the applicant is a real person, owns and controls the validated phone number, and is, therefore, identity proofed.
Selecting a digital identity solution
FATF makes several recommendations for banks and other regulated entities to follow when considering digital identity solutions.
Firstly, it is essential to understand the key components of digital identity systems, especially identity proofing and authentication, and how these apply to customer due diligence. Banks should take an informed, risk-based approach to reliance on digital identity systems for customer due diligence.
This includes understanding the system’s identity proofing and authentication assurance levels and ensuring these are appropriate for the money laundering or terrorist financing risks associated with the customer, product, jurisdiction and geographic reach. Anti-fraud and cybersecurity processes also have a role in supporting digital identity proofing and/or authentication for AML efforts, including customer identification/verification at onboarding, and ongoing due diligence and transaction monitoring.
FATF further recommends that banks ensure they can access or have a process for enabling authorities to obtain the underlying identity information and evidence or digital information needed for identification and verification of individuals. Banks are now being actively encouraged to engage with regulators, policy makers, and digital identity solution providers to explore how this can be achieved efficiently and effectively in a digital identity environment.
Make your KYC easier – contact us to learn about Alessa’s AML compliance solution or to request a platform demo and find out how we leverage regtech to enable financial institutions to take a risk-based approach to compliance.