In many ways, 2017 was a seminal year for anti-money-laundering (AML) compliance. Setting the tone for AML enforcement was the convergence of new sanctions regimes, the emerging power of local regulators, more transparent Ultimate Beneficial Owner (UBO) data collection and cyber-enabled financial crime. With a resurgence of Cold War-era tensions between the United States and Russia, driven largely by trade sanctions weaponized to undermine Kremlin financial networks, AML is a theme that even infiltrated domestic electoral politics. In fact, a special counsel investigating President Donald Trump for potential Russian collusion during the 2016 election, indicted his former campaign manager, Paul Manafort, in October for allegedly laundering millions in lobbying proceeds paid to him by the ex-president of Ukraine, a pro-Kremlin politician1.
Sanctions are also shaping geopolitical conflicts in the Asia-Pacific region, as the U.S. increasingly bans Chinese banks suspected of providing financial services to the rogue North Korean regime2. Additionally, allegations made by a prominent Turkish gold trader in New York federal court last November, implicating Turkish President Recep Tayyip Erdogan in a scheme to bypass U.S. sanctions and launder nearly a billion dollars of Iranian funds through precious metals, has further strained stability in the Middle East. This case highlights how Office of Foreign Asset Control (OFAC) guidance is anchoring AML prosecutions, which in turn, are restructuring geopolitical relations to dramatic effect.
While big banks de-risk, dirty money goes downstream
Despite the staggering size of the German lender’s AML fine, broader compliance trends actually reveal harsher prosecution for smaller banks and money service businesses (MSBs). The growing risk profile of these entities is the byproduct of regulators imposing more aggressive counter-terrorism financing (CTF) and Treasury sanctions rules on big banks following 9/11. Large FIs have been lightning rods for the majority of this CTF and AML scrutiny, forcing them to bolster Know Your Customer (KYC) controls in an effort to mitigate regulatory risks that have manifested nearly $4 billion in BSA/AML fines since 2014.
The implementation of new-and-improved compliance processes and technologies has been expensive, however, with some experts pegging the total cost of the U.S. AML regime to reach $8 billion per year.5 As a result, large FIs have found they can operate more sustainably by shunning high-risk accounts and geographies. This “de-risking” has largely entailed shedding more precarious clients like foreign account holders, MSBs and correspondent banking relationships in non-transparent jurisdictions. Thus, large banks have become less hospitable and less attractive to bad actors. The upshot is that regulatory reform has just rerouted illicit funds into smaller and lower-profile institutions that often operate with less rigorous customer identification programs (CIPs) and transaction monitoring controls.
Today, criminals are increasingly exploiting porous Know Your Customer (KYC) controls in community banks and credit unions.6Illustrating the migration of dirty money to smaller FIs is the collective $8 million in fines assessed by the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) against a community bank in Southern California last February. Despite having less than $100 million in assets, FinCEN said that the bank’s lax vetting of foreign correspondent accounts and MSBs “allowed billions of dollars in transactions to flow through the U.S. financial system without effective monitoring to adequately detect and report suspicious activity.”
Dovetailing with this case, is the $184 million settlement a prominent MSB reached with FinCEN and the U.S. Department of Justice (DOJ) last January to resolve AML violations, many of which were linked to a Chinese human trafficking operation. This AML enforcement action also speaks to the rising enforcement priority for human trafficking and explains why the banking industry is collectively updating transaction monitoring systems (TMS) to identify accounts pointing to this crime.7 For example, banks are now fine-tuning their TMS to flag the following human trafficking indicators:
- Multiple people sending money to the same beneficiary
- Purchases from high-risk classified Websites
- Wiring money to high-intensity trafficking areas
- Cross-referencing numbers to see if they correspond to illegal classified postings
To spot human trafficking transactions, terrorism financing networks, and other financial crimes, FIs are deploying cutting-edge regulatory technologies (regtech) and analytics tools to mine customer data more intelligently.8 Regtech, particularly as it pertains to customer identification on the front end, has also become instrumental for compliance with new UBO regimes.9
Regulators raise the stakes for UBO
FIs have until May 11, 2018 to integrate UBO data collection into their standard CDD processes. To comply with FinCEN’s final rule, covered institutions need to identify and collect information on any UBO, who owns 25 percent or more of a legal entity, or who exerts significant operating control over the business. The recent Thomson Reuters AML survey discovered that despite many FIs already collecting information at required thresholds, the UBO rule was second only to the NYDFS final rule, in terms of generating increased workload.10
According to the survey, the three most frequently reported operating challenges for UBO compliance were the inability to validate information, the increased length and complexity of the onboarding process, and difficulties in keeping the information timely. Adding another wrench to UBO governance, is recent guidance from FinCEN Acting Director Jamal El-Hindi, suggesting UBO data collection is a risk-based process, which makes FIs’ efforts to comply with the rule more open to regulatory interpretation.
At a financial crimes conference in December, El-Hindi told attendees that his agency encourages “banks to collect additional information on customers below the 25 percent equity interest threshold in order to “support industry’s own efforts” when they feel they need to collect information at a lower threshold.”11 The FinCEN chief’s elevated rhetoric may be a response to the November Paradise Papers leak, a data dump of 13.4-million client documents, many of which are linked to offshore law firm Appleby and corporate services provider Estera.12
The latest scandal exposed by the International Consortium of Investigative Journalists (ICIJ), leaked Appleby records revealed the dubious offshore dealings of high-profile officials like the Queen of England and U.S. Commerce Secretary Wilbur Ross.13 Highlighting UBO’s relationship to the broader AML ecosystem, the Paradise Papers unveiled Ross as the hidden owner of Navigator Holdings, “a shipping firm with business ties to a Russian oligarch subject to American sanctions.”14
Thus, as OFAC sanctions propel UBO verification into a top priority for BSA regulators, FIs need to ensure that they are working with the best AML and KYC data providers. Banks will also need to break their internal data silos and upgrade IT systems to process the coming tidal wave of UBO data, a compliance asset that has proven essential in emerging cyber-money laundering investigations.
Cyber-enabled financial crime disrupts AML
The rise of mobile internet payment systems (MIPS), online lenders, digital identity theft, and cryptocurrencies, innovation has empowered money launderers with next-generation tools to deceive legacy AML systems. The latter topic of virtual currencies has become a key pain point for AML regulators, as law enforcement officials have said their investigations are increasingly uncovering criminals’ preference for cryptocurrencies to cover their tracks.15 In the U.S., there have been at least half a dozen cases involving dark Web drug traffickers tied to Chinese fentanyl rings and the underground AlphaBay drug bazar who used bitcoin and more anonymity enhancing cryptocurrencies to transact online.
Before the July arrest of Alexander Vinnik, the alleged mastermind of a bitcoin exchange that laundered $4 billion in cryptocurrency transactions, that U.S. authorities say were tied to drug trafficking, cybercrime and tax fraud, BTC-e was a hub for dark Web money laundering.16 As luck would have it, UBO data was the smoking gun that led U.S. Treasury investigators to Vinnik. The indictment says that corporate registration records revealed Vinnik to be the “owner and operator of multiple BTC-e accounts, including administrator accounts, and also a primary beneficial owner of BTC-e’s managing shell company, Canton Business Corporation.”
Beyond UBO considerations, some companies are creating new analytics solutions to unmask the owners of cryptocurrency by linking their virtual wallet information to other personally identifying relational data points, including email address and other online records.17 Some of these records include avatars and usernames are pulled from dark Web forums.
It follows that TMS risk-screening will increasingly need to factor alternative data inputs, like the dark Web transaction chains being mined by cryptocurrency forensics tools, to mitigate AML risk in the digital age. Furthermore, a regtech solution that indexes the stolen identity records being trafficked on dark Web forums will also help traditional FIs and emerging financial technology (fintech) firms combat other growing cyber-risks like synthetic identity fraud and transaction laundering.
Despite all of these new developments in AML enforcement, personal criminal and civil liability is the trend that should concern compliance officers most. In 2017, authorities sentenced the chief compliance officer (CCO) of a New York-based broker-dealer to six months in jail for laundering funds he obtained by defrauding foreign investors. Also, in May 2017, the U.S. District Court for the Southern District of New York issued a $250-thousand civil judgment against the CCO of a prominent MSB for, among other things, deliberately structuring his company’s AML program to withhold consumer fraud data.
With the stakes of AML compliance arguably higher than ever, verifying customer identity has become the pillar of risk management in financial services. By leveraging high-quality AML data and restructuring IT systems to accommodate the new wave of artificial intelligence-powered regtech applications, FIs can ensure more accurate and effective customer identification at the front end. This way, compliance personnel can spend less time on low-priority issues like rummaging through mountains of false-positive suspicious activity reports (SAR). Still, the more pertinent lesson for compliance executives is that a data and regtech-led AML strategy may be the thin red line between job stability and a jail sentence.
About the author
Tim Lloyd is a financial journalist and Bank Secrecy Act subject-matter expert, specializing in banking industry compliance, regulatory technology, blockchain governance, information security, and risk. His coverage focuses on financial technologies and the growing symbiosis between money laundering and cyber-enabled crime. His ghostwritten and published work has been featured in the Financial Times, The Wall Street Journal, Bloomberg Treasury & Risk Management, Forbes, Dealbreaker, Equities, InSight Crime, Investor’s Business Daily, VentureBeat, and others. He is completing his master’s in Specialized Journalism at the University of Southern California in Los Angeles.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.