Eliminate Silos to Optimize Financial Crime Management

In the US, the cost of anti money laundering (“AML”) compliance is estimated at $23.5 billion per year. European banks come close with an estimated $20 billion spent annually. This spend goes towards technology, operational processes, people and legal / consulting costs.

Within the financial crime domain, fraud is a further significant cost area. While sometimes representing less of a direct compliance risk, fraud may result in losses, foregone revenue and remediation costs. Fraud (or false positives identified by a fraud system) also usually result in a negative customer experience. In the case of a rejected card authorization customers often switch to another card in their wallet and continue to use that card for future purchases.

Financial institutions are investing heavily in enhancing financial crime processes and technology. A desire to enhance the productivity of their financial crime operations is one driver. Increased fraud rates during the COVID epidemic and evolving regulatory demands are others. For example, in the US the Anti-Money Laundering Act (AMLA) of 2020 is expected to be a catalyst for investment and change as its provisions are progressively implemented.

In the EU, the ECB’s TIBER framework that enables regulators to test the cyber defenses of banks in their country and has placed additional focus on cyber for many banks.

As financial institutions adapt to these changes some have identified the opportunity to consolidate what are often siloed financial crime operations.

Consider an example — abstracted for simplicity:

• As part of AML transaction monitoring responsibilities a Canadian bank is required to report a SWIFT MT103 transfer of more than $10,000 or two or more transfers within 24 hours that total more than $10,000.
• Apart from applying other rules the bank should also report generally “suspicious transactions” as part of its AML transaction monitoring responsibilities. FINTRAC suggest “it is the consideration of many factors, not any one factor, that will lead to a conclusion that there are reasonable grounds to suspect that a transaction is related to a money laundering or terrorist financing offence”.
• Parties to a transaction must be screened against multiple watchlists. In some cases KYC processes completed at onboarding must be repeated on a regular basis for corporate clients.
• All the above activities might today be handled by an ‘AML team’. The same team might be responsible for onboarding and/or ongoing KYC.
• At the same time the bank also needs to monitor customer authentications, activities and transactions that might represent a fraud — for example through account takeover. Unlike AML transaction monitoring this usually needs to be done in real time so that either the transaction itself can be stopped or at least subsequent transactions (perhaps originating through the same account takeover action) can be stopped quickly. Real-time payment systems have placed more pressure on these processes. These activities might be handled by a fraud team or multiple fraud teams (for example for card, online & mobile banking etc).
• Finally, complementary to the above perimeter security systems, identity systems, mobile banking app logs and many more would be monitored for anomalous or threatening behavior as part of the bank’s cyber defense capability. A cyber team might be responsible for this monitoring.

The siloed nature of the above activities in some banks is due to the evolution of both regulation and the services offered by the bank.

Considering the above — what are the key opportunities for consolidation and optimization? The simplified generic financial crime management process below will be used as context for identifying opportunities.

Generic Financial Crime Management Process

Prevention & Detection

Since there is an overlap in identifying suspicious behavior (typically broadly defined in terms of AML regulation once moving beyond defined rules for suspicious activity) and anomalous or suspicious behavior that might indicate fraud, an immediate opportunity is to consolidate transaction monitoring and fraud detection processes.

• A single real-time data pipeline can feed data for both uses even though the transaction monitoring detection processes may not need to act in real-time.
• Data matched from multiple sources (for example authentication information linked to the transaction) is useful for both fraud models and in detecting uncharacteristic behavior for transaction monitoring. Watchlist screening could also form part of the matching process provided there is a capability to optimize future matching based on subsequent case worker input — as is provided for in many screening solutions today.
  Determining ultimate beneficial ownership of corporate entities may also form part of the matching process. As some countries look to improve access to ownership registers (the AMLA act in the US, for example, envisages easier access to a consolidated register) this process may become more robust.
• On the fly profiling is useful for both fraud and to support the application of rules based based transaction monitoring. In the same way an aggregation might be used to detect total payment values exceeding $10,000 in a 24 hour period (see example above) — to invoke a transaction monitoring rule. Others — such as average transaction counts for a customer per month or day — may be useful as features in anomaly detection fraud models. Profiling in real-time for fraud is eminently possible with cloud-based capacity.
• Anomaly detection models may differ depending on whether fraud or transaction monitoring is the target but both may be run on the same platform with access to the same data.
  It would make sense to have the same data scientists working on the models — enabling them to benefit from sharing insights into anomalous behavior / bad actor detection.
• ISV’s are starting to support common converged scenarios like the above in their technologies.
• Some customers are choosing to build their own pipelines and matching and profiling / aggregation capabilities using services available in modern cloud environments and then applying their own models or ISV financial crime solutions to the resulting data. This can make sense if the bank would like to exploit the opportunity to use the matched data for other purposes like next best action determination.

The diagram below highlights in red technology capabilities that could be shared in the above consolidation scenario. Rules authoring and detection could also conceivably have uses beyond transaction monitoring in fraud.

In a more comprehensive approach cyber, internal and other fraud detection could also be brought together under the same approach. Log data — often complimentary to (or overlapping) the data shown in the above diagram may be analyzed after the fact using rules and machine learning models to pick up anomalous behavior patterns. This is illustrated in the diagram below.

A consolidated effort incorporating cyber is also more likely to be able to respond quickly to attacks or vulnerabilities identified by authorities or tech firms. The impact of these may range from increased risk of a cyber event like a DoS attack to risk of account takeover.

Combining the data processing, rules definition and data science teams responsible for the detection environments can help. In so doing, members of this team may share insights into bad actor patterns that may be helpful across the various domains. Consolidated management of the data pipeline can also be more efficient as changes to source systems can be understood and adapted to more easily.

Post Detection: Customer Engagement, Investigation & Reporting

Post detection activities may also provide opportunities for consolidation:

• Automated or intermediated customer engagement after any financial crime ‘event’ may involve orchestrating back-end systems (for example to suspend access), reaching the customer through some channel — message, app or call centre call and then conducting further follow up. Most of these interactions if required can be consolidated and this may lead to a more logical experience for the customer.
• Investigation process flows may differ for transaction monitoring vs. cyber vs. fraud. By consolidating these investigation processes and teams on a platform that supports multiple easily configurable process flows and reporting means better consolidated insights into bad actor patterns are likely to be available. And investigators may spot emerging threats with multiple points of attack more easily. Valid behavioral shifts affecting anomalous behavior detection and false positive alerts may also be more quickly and comprehensively responded to.
  Flexibility in the establishment or reconfiguration of investigation workflows in a case management system is important to quickly adapt to new threats or regulator guidance on handling certain types of case.
  Increasingly, consolidated case outcomes data will be used as feedback to train or optimize detection models.
• Formal regulator reporting is more likely to lend itself to specialization based on the type of case — but this could still be done out of a consolidated team. Also, some intelligence centers are investing more in analysis of submissions that will lead to greater collaboration with banks on patterns over time. In the UK this is already happening and the AMLA Act in the US may result in expansion of the FinCEN’s activities in this area. This collaboration will be made easier if the bank has a consolidated view of interactions.

Where to start

1. At a technology level, engineering a consolidated real-time feed of customer, activity and transactional data and adding matching and profiling capabilities is likely to deliver a clear return on investment for financial crime solutions in the short term. This same feed of data has multiple uses in the medium term to drive real-time customer offers and interventions.
2. In parallel, ensure that log data from banking applications, identity solutions, perimeter defense layers and more is being consolidated into a solution that supports the future creation of the bank’s own anomaly detection models and rules.
3. At a people level, create a v-team that spans cyber, fraud and AML — transaction monitoring detection. Consider sharing reports & insights in regular v-team call and establish a dashboard highlighting emerging threat patterns across all the teams. Look toward merging teams as detection and case management technologies are able to support consolidated operations and flexible workflowed processes.
4. In responding to new regulation, create a master plan for financial crime teams and technologies rather than just looking to meet specific regulatory requirements one by one.
5. Consider a flexible financial crime ISV strategy as solutions evolve rapidly in market. Also consider the extent to which the bank’s own data science skills will be in used to enhance detection. For larger environments assume data science skills will be valuable within the financial crime team. Set clear preconditions for retiring older technologies that will often have to operate in parallel for some time.