Covid-19 turned out to be the biggest accelerator for digital adoption. The firms which traditionally shunned digital ways of working, have either adopted them or are in the process of kickstarting their digital transformation journey. A McKinsey survey found evidence of this acceleration.
Having started on this digital journey, many small and medium-sized banks, financial services and insurance firms are now getting exposed to the perils of the digital world for which they were ill-prepared. Digital operations enhance customer experience, improve operational efficiencies and even create new revenue streams.
However, it also exposes the firms to financial crime modalities that they were not exposed to in traditional non-digital operations. When we speak of financial crime, we mean not only profit-motivated fraudulent activities but also money laundering and terrorist financing activities.
For example, a customer with dodgy financial credentials will hardly escape the anti-money laundering risk assessment performed in person by a hawk-eyed branch manager. The same dodgy customer transacting via digital channels, however, is a different story. The probability of the customer escaping the scrutiny of financial crime prevention systems is dependent on the effectiveness of the preventive systems in place.
The financial crime prevention landscape has evolved over the last couple of decades drastically. In 1993, the UK had a single anti-money laundering law. In 2022, there are nearly 20 different laws and regulations that most banks and financial services institutes need to comply with. This multitude of laws and regulations has been introduced over a long period.
Every time a law or regulation is introduced, the firms have reacted by deploying a system to comply with the law or regulation. This has created a complex network of systems, each dealing with a specific aspect of financial crime prevention. Some firms have gone ahead and integrated these siloed systems by deploying a control system. Fewer still have moved to an integrated platform that covers all aspects of financial crime prevention.
In absence of a unified platform, a network of systems, that is held together by “glue” processes or a control system, creates friction and in some cases impedes business. Any failure in any of the siloed processes or “glue” processes, can potentially result in a regulatory fine.
Some of the processes might be treated as regulatory compliance requirements but in reality, these are preventing serious financial and reputational risks for the firm. Let’s take an example of a customer due diligence process for a business. It can act as an indicator of the propensity of a customer to participate in potentially criminal activity such as laundering money gained through illicit means like bribery or financial fraud.
An ineffective due diligence process that treats these processes as a “tick box” exercised for regulatory compliance, may bypass a few of these bad actors. This exposes the firm to greater reputational risks.
Financial crime prevention is a serious business
While most firms take financial crime prevention obligations seriously, some are grappling with budget and staff issues to deal with these effectively.
Not handling financial crime obligations efficiently can expose firms to not just additional risks but also overhead costs. This is revealed in another McKinsey study of financial crime-related- costs.
This study has provided insights into a spectrum of effects that result due to financial crimes. Apart from the direct financial loss to consumers and firms, there is a reputational impact too.
It is noticeable that regulatory fines are a significant cost compared to overall costs that are borne by the firms. In 2021, the Financial Conduct Authority (FCA) of the UK dished out fines of over £500 million (yes, you heard that right – 500 million) for lax financial crime prevention systems.
Large firms like multinational banks have been operating digitally for a long time. Yet they were the ones who were fined exorbitantly. . Now that small and medium-sized- banks and building societies are going digital, they need to pay attention to the financial crime prevention systems, and make them practical for digital operations.
The FCA notice to one of the banks that was fined is an interesting read and brings out the dimensions that other firms can pay attention to.
They can be summarised mainly as a process, policy and procedure failures, compounded by organisational as well as stakeholder education failures which then were amplified by information system and automation failures. There is an element of cyber security, identity and access management which helps prevent many fraudulent transactions and can work as a hygiene factor.
When you consider these dimensions collectively, you get a framework to evaluate the effectiveness of your financial crime prevention system.
We explain this framework, what we call PICASO, below.
The PICASO framework can provide a firm with the required foundation to evaluate the maturity of financial crime prevention systems and make them fit for the digital world. Firms cannot only assess the maturity of their financial crime prevention posture using this framework but also select a desired target maturity state to align with their digital ambitions.
Policies, procedures and processes
FCA requires firms to underpin their financial crime prevention activities with policies. Firms then enact procedures to implement these policies. These procedures, over time, tend to deteriorate, for various reasons.
It is a useful practice to have a periodic audit of the procedures for compliance with policies as well as the effectiveness of procedures to achieve the policy goals. Many times, the employees cannot cope with the procedures because they are short-staffed or there is some sort of misconfiguration in the system, resulting in non-compliance with policies. It is a good practice to identify such issues and address them. One way to pinpoint such issues is to have statistical process control over the entire process.
For example, in a large bank that was fined by the FCA, it was found that the alerts raised by the system for potential money laundering were not closed within the policy stipulated 90 days. On further investigation, it was found that after a new release of the alerting system certain parameters were changed resulting in more than normal numbers of alerts. Since there was no statistical process control, the sudden rise in alert volume missed the management’s attention. As a result, a lot of alerts went undetected and eventually resulted in a severe FCA fine.
So periodic audits of the procedures and statistical process control can be good practices to keep your financial crime prevention effective.
The information system could be the most useful tool in the fight against financial crimes but it could also be the greatest weakness. Believing that having an information system as a part of the financial crime prevention strategy as a solution diminishes the possibility of an attack, is a wrong assumption.
The use of information systems in financial crime prevention has evolved in parallel with the rise in regulations and laws governing financial crime. There are typically multiple systems acquiring data, feeding that data to yet another layer of systems that evaluate the data and then prompt the necessary actions.
There could be another layer of systems managing the actions and then feeding back the decisions to the source system where the data was acquired. Things can go wrong in any of these systems and their interconnection. The various siloed systems were developed organically over a period in response to specific regulatory pushes.
These siloed systems expose you to risks and if you haven’t already, probably this is the right time to consolidate these systems into an integrated platform. There are quite a few integrated platforms in the market, which provide such consolidated functionality which could be used.
Again, drawing back on the example of the institute that was fined heavily, they had a couple of key information systems involved in the financial crime prevention ecosystem. However, these systems' capabilities were not fit for purpose or misused by the users to cope with issues of the volume of alerts being generated. The release and testing processes were inadequate too. This resulted in several alerts being processed late or configurations being made to not generate the alerts.
Having a consolidated financial crime prevention platform backed up by solid release and testing processes can help tide over information system-related issues.
Financial crime in the digital age also puts banking and financial services on the centre stage. It is not just the money laundering that is a concern. Money laundering is the tail end of the financial crime spectrum. With digital operations, it has become easier for bad actors to take advantage of unsuspecting consumers and engage in fraudulent activities with a profit motive.
A new fraud modality is being discovered frequently, be it spear fishing, romance scams or covid scams. Many such fraudulent activities are difficult to prevent at the banking or financial services firm level. But firms must keep their guard up and make sure their cybersecurity posture is up to the mark. They must also introduce appropriate friction points in customer journeys to dissuade these fraudulent activities.
Consumer fraud is not the only fraud that firms need to worry about. There is also an insider fraud risk that the firms need to protect against, which is typically addressed by having effective identity and access management practices coupled with effective surveillance of key activities.
For example, in a micro-lending firm some collection agents were scamming the firm with zombie accounts, which then went delinquent thus skimming the funds from those accounts for their gains. With a machine learning-based surveillance system, the firm could detect and prevent 80% of such cases.
Effective cybersecurity and fraud control measures are hygiene factors within the financial crime prevention ecosystem.
The firm’s financial crime prevention system had the luxury of time whilst operating in the non-digital world. In a digital world dominated by gen-z consumers, time is one thing that gets squeezed in any business transaction. So, the processes that used to take days are now expected to be completed within hours. The firms are also under pressure to control expenses on regulatory compliance activities. In such scenarios, automation can stand in good stead.
Firms can use automation to control disparate internal systems and avoid swivel chair integration, where a human actor merely replicates information from one information system into another. Firms can also automate obtain and process external inputs such as a PEP or adverse media alert.
Using the appropriate automation measures will not only address the compliance conundrum but will also have a positive impact on customer experience.
The fraud aspect of financial crime is not preventable by having a post-facto transaction screening/alerting system. Various fraud modalities depend on innocent consumers performing actions, detrimental to their financial well-being, of their own accord.
Whilst firms can put in various mechanisms to flag fraudulent transactions and introduce friction points in customer journeys to give a chance to consumers to seek advice and take appropriate actions. Stakeholder education remains the best defence against a vast range of fraud modalities.
Firms must make an effort to educate their stakeholders about evolving fraud modalities, how to recognise and defend against them as well as how to recover from the fraud, in case they have already succumbed to it.
The new consumer duty regulation puts extra emphasis on protecting vulnerable consumers. Firms must have a way to identify and then ensure protection for such vulnerable consumers.
Most of the time the root cause of all issues is an inappropriate organisation structure. There is no silver bullet here. Large multi-national banks have a regional shared services organisation, catering for regional financial crime needs. Some of them have a global organisation. Having a global organisation may provide economy of scale but on the flip side, the firm will lose on the jurisdiction-specific expertise. A regional shared service organisation may offer the best of both worlds' benefits.
For small to medium size firms, a firm-wide shared service may make sense. But a siloed product or geography-centric organisation structure should be avoided by even small firms. This could be a legacy and due to the evolutionary nature of regulation, it needs to be transformed sooner than later.
Digital ways of operating offer great rewards for firms. In the future, it may be the only way to operate. However, the firms need to be prepared for the rigour of the regulatory requirements that digital transformation brings with it. Our PICASO framework offers a way to assess your readiness for the financial crime prevention regulatory needs in line with your digital ambitions. One thing is clear though, the digital transformation would need transformation in regulatory compliance posture too and firms should not assume that digital transformation has no impact on regulatory compliance stance.
We offer a self-service Financial Crime health check assessment. Please write to email@example.com for a free Financial Crime health check assessment