Until recently, the focus for many financial institutions (FIs) has been on detecting money laundering and retrieving the proceeds of crime. And given that the most high-profile enforcement cases center around the act of laundering money itself, it’s understandable that FIs and regulators alike have targeted their resources towards this issue. 

But this approach comes with its own risks. Given the legislative shift towards targeting the facilitation of and failure to prevent financial crime, Compliance and Operations teams are increasingly under pressure to understand and be able to flag the wider framework of crimes that are predicate offenses to money laundering. Failing to do so could expose them to criminality and regulatory rebuke. Legislation aside, there’s also a moral imperative on firms to help expose criminal activity – at least where it is reasonably possible for them to do so. 

To do this effectively, firms must look beyond simply identifying potential money laundering in customer activity and adopt a broader view that enables them to identify associations with predicate offenses and monitor customer risk on an ongoing basis.

Yet, this is no small feat. 2022 was a challenging year for Anti-Financial Crime (AFC) practitioners, and 2023 shows no signs of being any easier. Compliance teams are increasingly stretched thin. 

At a recent roundtable discussion at Transform Finance UK, I hosted representatives from a broad spectrum of organizations, including some of the largest global FIs. They provided insightful perspectives on the challenges they face around detecting predicate offenses and some recommendations for best practices. 

Here are my top three takeaways from the discussion. 

1. Pervasive short-termism inhibits problem-solving

Findings from our State of Financial Crime research suggests 69 percent of UK firms were planning to increase headcount this year – much higher than the global average of 58 percent. This was echoed around the table, with firms frequently opting to invest in headcount over technology as a quick-fix solution. Many raised long implementation times for vendor technology solutions as a barrier to adopting technology, pointing towards hiring as a quicker option to solve an immediate compliance challenge.

However, increasing headcount can lead to more problems than it solves. Not only are firms grappling with nationwide skills and labor shortages, which are driving up compliance salaries, but higher numbers of staff increase the burden on quality assurance processes and teams. This reactionary approach treats the symptoms and not the cause; to get to the root of the problem, FIs need a more considered approach.

Hiring decisions should be approached strategically, taking into consideration the in-demand technical skills that compliance teams are often lacking. By creating defenses that blend the best that human talent and technology can offer, firms can more effectively detect money laundering and associated predicate crimes. Technology can be deployed to assess and triage risk at scale whilst also shouldering the burden of repetitive lower-risk cases so that humans can focus their finer skills on higher-risk, more complex compliance tasks.

2. Clear processes are needed to prioritize threats and ensure smooth information flow

The people challenges outlined above are compounded by the fact that there are many silos in financial crime compliance workflows – especially in very large organizations. It’s not uncommon for each compliance process – from client activity monitoring to sanctions screening – to be handled by separate, distinct teams. 

This is challenging for leaders who need their teams to be alive to the wider risk landscape, including predicate offenses. Processes and procedures need to make the implications of any alerts clear, break down barriers in communication, and ensure analysts know how to escalate alerts to the teams who would be concerned about them. 

Consideration should also be given to educating the wider organization on how to spot suspected predicate offenses to ensure suspicious activity doesn’t go unnoticed. Some approaches include training or better interaction with law enforcement to provide analysts with a better contextual understanding of how predicate offenses play out in practice. 

3. Investment in AI-driven tools that can help scale and automate financial crime risk detection will be critical in 2023

The implementation of technology solutions can result in soaring false positive rates if configured incorrectly – one firm I spoke to experienced false positive rates of 95 percent. Sadly this is far from unusual.

This is why it’s so important to deploy tools that leverage artificial intelligence (AI)  that can be calibrated to match a firm’s risk appetite and flexible enough to address emerging risks such as evolving sanctions regimes, politically exposed person (PEP) status changes, and negative news. 

Done well, technology can deliver significant efficiency savings. In one specific use case –  negative news screening – I’ve seen the use of AI reduce hit rates by up to 90 percent and onboarding cycle times by 80 percent; statistics that compliance teams would welcome, the wider business and customers alike.

The post Combine People, Processes, and Technology to Protect Against Predicate Offenses appeared first on ComplyAdvantage.

On March 16th, the Financial Conduct Authority (FCA) issued a “Dear CEO” letter to payments firms authorized or registered under the Payment Services Regulations 2017, and Electronic Money Regulations 2011. 

In it, Matthew Long, the FCA’s Director of Payments and Digital Assets said the regulator remains “concerned that many payments firms do not have sufficiently robust controls and that as a result, some firms present an unacceptable risk of harm to their customers and to financial system integrity. We consider that the risk of customer harm is heightened by the tightening economic conditions and the cost-of-living crisis.”

The letter is framed around three core outcomes payment firms must achieve: 

1. Ensure your customers’ money is safe.
2. Ensure your firm does not compromise financial system integrity.
3. Meet your customers’ needs, including through high-quality products and services, competition and innovation, and robust implementation of the FCA Consumer Duty.

Implications for Fraud and AML Professionals 

Many of the FCA’s points – especially related to objectives two and three – center on issues related to fraud, money laundering, and sanctions. Here, we explore those in more detail and highlight actionable steps firms can take to help ensure they are compliant. 

Priority 1: Money Laundering & Sanctions

The FCA states that “All firms that are subject to the UK’s Money Laundering Regulations must have in place systems and controls to identify, assess, monitor and manage money laundering risk. These must be comprehensive and proportionate to the nature, scale, and complexity of a firm’s activities. With regard to economic and financial sanctions, firms must ensure that they operate effective systems and controls, in order to identify and manage any sanctions exposure and risk, associated with their customers and business activities.”

Common issues identified in the regulator’s work with firms over the last two years focused heavily on issues related to control, governance, record keeping, and the risk-based approach. Specifically, these included:

• Failure to carry out and/or to evidence adequate know your customer (KYC)/due diligence.
• Business-wide risk assessments that are not supported by a robust and effective methodology.
• Failure to regularly review and refresh risk assessments and control frameworks in an evolving threat landscape.
• Policies and procedures that are insufficiently detailed and tailored to firms’ business models.
• Failure to maintain and evolve the control framework, in line with or ahead of business growth.
• Failure to ensure name screening solutions from third-party providers are appropriately and adequately calibrated to meet their business requirements.
• An inability to reasonably justify and/or verify why a sanction screening solution does not generate alerts against certain names on the UK’s Office of Financial Sanctions Implementation list.

The FCA states that it expects firms to: 

• Ensure that anti-money laundering systems and controls are effective and commensurate with the risks in the business, including as it grows over time. 
• Conduct regular reviews to assess compliance with anti-money laundering obligations and sanctions requirements, and to work swiftly to remediate weaknesses identified. 
• Comply with responsibilities under the Proceeds of Crime Act 2002 and Terrorism Act 2000 through accurate and timely submissions of Suspicious Activity Reports (SARs) and regularly review themes from your SARs reporting.

What does this mean for your firm?

During the initial implementation process, we recommend that our clients make a detailed determination, based on their business model and related requirements, of the way they wish to configure their screening solution. Factors to consider include:

• The nature of their customers — For example, are their products offered to businesses or individuals? What geographies are covered for residence or trading activity? Is a customer risk-rating mechanism in place, allowing the firm to direct some, but not all, of their customers through an Enhanced Due Diligence process?
• Consistency and completeness of the data being sent for screening —  Is there consistency and predictability in the formatting of country names, dates of birth, prefixes, etc? Where there is more than one named individual associated with an account, how are several names being bifurcated before submission for screening? How are special characters being processed, etc?

Firms should ensure that the customer names submitted to any screening solution are derived using automated checks against official/state-issued identity documentation, as opposed to user-inputted. Implemented correctly, this can have a significant positive impact on the number of false positives emitted from name screening tools. ComplyAdvantage offers a high degree of configurability via various algorithmic levers which can help support false positive reduction in a structured onboarding process.

Once these steps have been taken, firms should devise tests for their screening solution by running name sets through the solution in a test environment, as part of their wider risk and control assessments. 

Test sets should be formatted to reflect live customer environments as closely as possible, including the variants firms would expect to see as a result of the processes they have put in place in that environment.

Firms should also ask vendors about the speed at which they can update their sanctions lists. In a tense, fragile geopolitical environment, new sanctions are likely to continue to be issued at pace and unpredictably, meaning that receiving updates as close to real-time as possible will be critical to ensure continued compliance with regulatory requirements.

Priority 2: Fraud 

The FCA notes it has seen “elevated fraud rates” in some payment and electronic money institutions. It notes the cost-of-living crisis as a potential driver of additional fraud. As a result, firms must “take action now to address weaknesses in their systems and controls to prevent fraud.” Common issues identified include:

• Insufficient emphasis on mitigating the risk of fraud against customers and insufficient customer education relating to fraud prevention.
• A lack of engagement with industry information-sharing bodies.
• Weaknesses in firms’ anti-fraud systems and controls.
• Backlogs that have led to fraud reports from consumers not being actioned within a reasonable timeframe by relevant staff.
• A high proportion of customer accounts being used to receive the proceeds of fraud.

The FCA has a clear sense of urgency around fraud, stating firms must “take immediate action” to protect customers against fraud, and ensure their firm is “not being used to receive the proceeds of fraud.” Firms are instructed to:

• Review internal risk appetite statements, policies, and procedures to ensure that these adequately address the risk of fraud to customers.
• Regularly review fraud prevention systems and controls to ensure that these are effective.
• Maintain appropriate customer due diligence controls at the onboarding stage and on an ongoing basis to identify and prevent accounts from being used to receive proceeds of fraud or financial crime.

What does this mean for your firm?

The combination of the economic downturn and the relentless adoption of new technologies provides fertile ground for new fraud typologies. That makes access to intelligent, real-time fraud detection information critical. It also means anti-fraud technologies that were effective even 12 months ago may now need to be renewed, to ensure they’re sufficiently capable of keeping up with the fast-paced world of fraud. The reality is, fraudsters will be the first adopters of any new technology, and firms need to work with partners who are capable of keeping pace.

At ComplyAdvantage, we approach fraud and AML holistically with our clients. Across both categories, a common challenge we see is a reliance on static rules to detect fraud. A better approach is to deploy a model that dynamically adapts to criminal behavior while, crucially, providing analysts with clear reasons when alerts are created. 

It’s notable that the FCA explicitly called out alert backlogs in its letter. We work with clients to deploy machine learning algorithms that can help them to prioritize alerts based on the risk they present. This enables them to be filtered, sorted and allocated more efficiently. This enhances our clients’ risk-based approach while making sure their analysts’ time is being used effectively. 

Another best practice is to be network-driven. Complex fraud cases are rarely the result of a lone actor, but legacy systems will focus on screening and monitoring individuals. A more effective strategy leverages AI to identify links between accounts – whether related to an individual(s) or an organization(s) – to help clients identify the true scale of the problem. 

We also work with our clients to support emerging payment types and to take advantage of the richer, structured data that ISO 20022 brings with it. It’s set to be introduced into the Clearing House Automated Payments System (CHAPS) on June 19th, 2023. The Bank of England states explicitly that it expects improved fraud and financial crime detection to be a key benefit of this transition. To learn more about how the migration to ISO 2022 can enhance your financial crime risk management, book a meeting with our team here.

But even with the best regtech and compliance team, fighting fraud takes a village. That’s why it is critical firms find ways to share information and knowledge. This could be through participation in data-sharing initiatives like CIFAS, working with technology and data vendors who monitor and respond to emerging criminal typologies, or participating in regulator consultations. 

Finally, we know that it’s next to impossible for compliance officers to keep on top of new developments alongside competing work demands and day-to-day responsibilities. That’s why we regularly publish our analysis and research on key trends and new regulations. We’re also regularly hosting and attending industry events to facilitate discussions between practitioners. You can find all our latest thought leadership content on our website. 

Next Steps

The FCA states that firms should ensure their board or executive committee review and consider which risks apply to them, and take appropriate action. It warns firms it will expect them to “explain the actions it has taken in response to this letter on request.”

Finally, the FCA notes that its wider strategy for 2022-25 has a strong focus on reducing and preventing financial crime, with a key plank of this being a commitment to act “earlier and more assertively in dealing with problem firms.” It notes it will “remove or sanction” organizations that “cannot or will not meet our standards.”

The post FCA Priorities for Payment Firms March 2023: Implications for Fraud and AML Professionals appeared first on ComplyAdvantage.

In our 2023 global compliance survey, 39 percent of respondents said the type of fraud they were most concerned about was credit/debit card fraud, closely followed by identity theft (36 percent) – both of which have a close proximity to ATO. 

As fraud and scams continue to evolve, it is critical for compliance teams to enhance their knowledge of specific fraud types so mitigation efforts are targeted and effective. 

What is Account Takeover Fraud (ATO)?

Account takeover fraud (ATO) occurs when a criminal takes control of a victim’s online account to steal funds or sensitive information. This can happen when a customer’s login details – such as username and password – are used without permission to access their bank account, credit card, mobile phone account, or eCommerce account. The cybercriminals then make fraudulent transactions from the customer’s account, using sophisticated techniques to remain undetected and avoid raising suspicions from the victim or their bank.

Commonly, customers’ credentials are stolen or bought on the dark web in order to commit ATO. This cybercrime has become even easier following several high-profile data breaches affecting large corporations. Once the credentials have been stolen, the criminals either financially defraud the victim or sell their details to a third party. For example, a cybercriminal may pay over $1,000 for the credentials to illegally access a PayPal account.

How Does Account Takeover Fraud Differ From Identity Theft? 

While account takeover fraud and identity theft are similar, the concepts are not interchangeable. With ATO, a victim’s credentials (username and/or password) are stolen for financial gain. With identity fraud, cybercriminals typically have access to some of the customer’s details, but not their login credentials. 

The two fraud types, however, do have a strong connection. Aite Novarica found that 64 percent of US consumers who experienced identity theft in 2021 also experienced account takeover fraud. 

What Methods are used in Account Takeover Fraud?

Common ATO methods include:

• Credential stuffing: With credential stuffing, fraudsters use automated tools, or bots, to test lists or databases to find a match. When people use the same username and password across more than one service provider, this makes it easier for criminals to illegally access customer accounts. This type of cybercrime is also known as list cleaning, breach replay, or password spraying. 
• Brute force attacks: In a brute force attack, cybercriminals use bots to try to hack into accounts by trying multiple different passwords on a single site. This is similar to credential stuffing, but more guesswork is involved. When the bots use random words to try to guess a customer’s password, this is known as a dictionary attack.
• SIM swaps: SIM swapping is a form of social engineering where a criminal transfers the victim’s phone number to their own SIM card. This means they can access the victim’s mobile banking app and intercept security measures such as one-time passwords (OTPs). They can also access any data on the SIM that helps them discover other passwords or personal identifying information (PII).
• Phishing and social engineering: An estimated 22 percent of people in the US have been victims of account takeover fraud, with phishing and social engineering among the most common methods. Fraudsters use information easily discovered online to trick victims into revealing PII. They then use this information to commit account takeover identity theft. Criminals can also send emails to your contacts to try to defraud them too. 
• Man-in-the-middle attacks: Man-in-the-middle attacks are commonly carried out on people accessing public hotspots when they are out and about. Bad actors can disguise their network as a public hotspot and steal payment data from unsuspecting victims. For this reason, many financial institutions encourage customers not to carry out financial transactions over public Wi-Fi hotspots.
• Malware: Criminals adept in account takeover fraud are becoming even more sophisticated, and some are now using malware to intercept OTPs (One-Time Passwords).

How to Detect Account Takeover Fraud?

With global e-commerce sales set to reach $8.1 trillion by 2026, it has never been more important to get ahead of criminal trends, technology, and behaviors. 

Compliance and fraud professionals in financial institutions should be aware of red flags related to this practice and trained in how to spot and report illegal activity. Fraud and anti-money laundering (AML) teams should work together to share information in order to provide a high level of ATO protection. A fraud and AML (FRAML) approach can aid early detection, improve efficiencies and help professionals stay ahead of new typologies.

Examples of account takeover red flags include:

• Multiple login attempts
• Multiple password change requests
• Changes to the back-up device or email address where OTPs are sent
• Notifications being turned off
• Changes to contact details, including postal address and zip code
• Setting up of a new payee or authorized user
• Requesting credit cards or cheque books to a new address

While no single red flag will reveal if an account has been compromised, firms should consider each transaction’s relevant facts and circumstances in line with a risk-based approach to compliance. 

How Can Companies Protect Themselves Against Account Takeover Fraud?

There are a number of methods financial organizations use for account takeover protection. For example, many firms typically:

• Encourage customers to practice good password hygiene: change passwords regularly; use a password manager encryption service; avoid using the same password across multiple sites
• Alert customers if their username or password has been compromised in a data breach
• Offer customers the option to be contacted before their credit limit is increased
• Require customers to request a credit limit increase in a branch or over the phone rather than online
• Recommend customers turn on multi-factor identification (MFA) 
• Send an email and/or text when a change has been made
• Include fraud alerts at relevant points in the customer journey
• Use methods, such as CAPTCHA, to spot and block bots

ATO methods are constantly being devised and adapted by cybercriminals. Firms can use fraud detection technology to look for patterns and identify risks in real-time. Customer screening and transaction monitoring solutions that utilize artificial intelligence can compare a customer’s typical behavior with current behavior to identify and block suspicious activity. In the future, biometrics may also be key to account takeover fraud protection.

The post What is Account Takeover Fraud? appeared first on ComplyAdvantage.

Due to the far-reaching impact of money laundering on the property sector – including consequences of a social and economic nature – it’s critical for compliance professionals to understand how the typology works and what tools are needs to better mitigate the risk it presents. 

How Does Money Laundering Through Real Estate Work?

Money laundering through real estate integrates illicit funds into the legitimate financial system while also providing the criminal with a relatively “safe” property investment. This can include the purchase of houses, apartments, office space, factories, hotels, vineyards, etc.

Criminals can further enrich themselves by:

• Renting out a property they have purchased  
• Renovating a new property and re-selling it 
• Cashing in on property appreciation over time

In addition, the price of real estate is fairly easy to manipulate and, with collusion, property can be over- or undervalued. In fact, gatekeepers in the sector – realtors, property developers, mortgage advisors, brokers, etc. – have sometimes been found to be complicit and accept financial compensation to turn a blind eye to real estate money laundering.

Some other techniques that criminals use to launder money through real estate include:

• Setting up shell companies or front companies to purchase a property. In the US, for example, anonymous shell companies can be set up in places like Delaware, Nevada, Wyoming, and North Dakota.
• Using cash or other non-transparent financing schemes.
• Selling properties to co-conspirators
• Using opaque trusts or third parties to to act as the property’s legal owner 

Examples of Money Laundering in Real Estate

Countries including the US, the UK, Australia, Canada, and Germany are known as money laundering real estate hubs with hotspots in London, Toronto, Vancouver, and New York. 

The US Department of Justice and its Kleptocracy Asset Recovery Initiative have worked on many cases involving both residential and commercial property. In one case, a Honduran man pleaded guilty to receiving over $1m in bribes. Being a government official, the defendant worked with his brother to launder money through international wire transfers and used the proceeds to purchase properties in New Orleans, including office spaces.

In February 2022, a private bank was alleged to have turned a blind eye to several illegal real estate transactions, including allowing an account owned by the Vatican to spend $350m investing in London property. The Vatican was also found to have lost millions of euros to mortgage brokers – much of it donated by the Catholic community. Another allegation against the bank involved drug traffickers investing millions of funds, which they used to buy property in Bulgaria. 

Additionally, a report by Transparency International found that £1.5bn of UK property – mostly in London – was bought by Russians who had been accused of corruption and/or sanctioned. The nonprofit also found that 2,189 firms registered in the UK and its overseas territories were used in 48 Russian money laundering and corruption cases. Combined, these cases involved more than £82 billion worth of funds disguised by rigged procurement, embezzlement, and bribery.

Money Laundering Red Flags in Real Estate

Money laundering real estate red flags, include:

• Investors using multiple banks to stay under reporting thresholds 
• Sales conducted in cash with no mortgage lenders involved – in places like Miami and Manhattan, over 60 percent of real estate transactions of $2m+ made by international investors are cash transactions 
• A large disparity between the buyer’s income and the value of the property 
• Purchases where the ultimate beneficial owner is not clear 
• A third party making the property purchase (known as a nominee purchaser)
• A large geographical distance between where the investor is currently located and where they are buying property
• Properties purchased using “loan back” – money is deposited in an offshore bank account and borrowed back by a shell company, the owner of which happens to be the person who controls the offshore bank account
• If the property is used as a physical base for other criminal activity, including if the property is being sublet – according to a webinar hosted by the Financial Action Task Force (FATF) on real estate money laundering

Other suspicious signs include sales between known criminals, ex-criminals, family members of criminals and/or politically exposed persons (PEPs).  

What is the Impact of Money Laundering on the Real Estate Markets?

Money laundering can have serious consequences on real estate markets, the economy, and communities. 

A few examples of the impact of real estate money laundering include:

• Property prices being artificially distorted, making it impossible for many people to afford housing (including rental) or commercial premises 
• Corruption
• Unfair competition
• Instability in the sector 
• Continuation of drug trafficking, human trafficking, terrorism, and other forms of organized crime 

Regulations That Help Mitigate Money Laundering Risks in Real Estate

The FATF’s 40 recommendations on money laundering statethat all designated non-financial businesses and professions (DNFBPs) be subject to risk-based AML supervision, including real estate. 

However, in the US, professionals involved in real estate closing and settlements are not currently required to adhere to AML and CTF programs and regulations. The US Treasury stated that the FATF found a low level of obligation implementation across jurisdictions as well as minimal suspicious activity reporting. They concluded that greater education is needed to successfully implement a risk-based approach to AML in real estate.

In line with these findings, the Biden administration announced it would be focusing on real estate embezzlement and corruption, with more scrutiny on all-cash transactions. This is one key loophole that real estate money laundering criminals continue to exploit. 

“Gatekeeper professions” in Australia, including real estate companies, are not currently subject to the country’s AML regime either. The CEO of the Australian Transaction Reports and Analysis Centre (AUSTRAC) has repeatedly voiced her concerns regarding this, singling out real estate as posing “a particular danger.” Transparency International’s 2022 report echoed Rose’s concerns, highlighting the role of Australian real estate in the fight against Russian dirty money. The report noted that with no centralized real estate ownership register, it is exceedingly difficult to identify the ultimate beneficiaries of transactions and stop Russian kleptocrats from investing in the country’s real estate market. As of March 2023, no amendments concerning gatekeeper professions have been announced.

Regulatory Focus Areas: Beneficial Ownership and Reporting

Criminals know that if they transact purely in cash, property professionals and gatekeepers are not obliged to obtain proof of identity or report suspicious behavior. With an estimated third of US property sales financed purely with cash  in October 2022, FinCEN expanded its Geographic Targeting Orders (GTOs) to try to close this loophole. Many believe that GTOs are preferable to a “one size fits all” approach across the whole of the US. With these restrictions in place, it should be more difficult for criminals to purchase real estate in all-cash deals via shell companies. 

Regarding AML measures in real estate, regulators have two key areas of focus:

• The importance of identifying the ultimate beneficial owner (UBO) of any companies buying luxury property – the UK introduced the unexplained wealth order (UWO) legislation in 2018 and launched a public Register of Overseas Entities in 2022, which applies retrospectively and carries strict penalties.
• The importance of filing suspicious activity reports (SARs) – with the expectation on real estate professionals, legal advisers, and lenders to prioritize compliance.

How Can Real Estate Companies Detect and Prevent Money Laundering?

Property companies need robust AML compliance policies and real estate professionals need regular up-to-date training. Experts from the FATF recommend that real estate professionals educate their clients about the importance of due diligence in the sector.

Important steps include:

• Robust customer screening and transaction monitoring
• Thorough sanctions screening
• Understanding the difference between, and identifying, source of wealth (SoW) and source of funds (SoF)
• Reporting suspicious transactions
• Carrying out due diligence and now your customer checks
• Verifying the UBO
• Adverse media monitoring for PEPs 

Technology is a key tool in the battle to spot real estate money laundering red flags, for example, smart software can be used to identify relationships and possible collusion between brokers and realtors. 

The post Understanding Money Laundering in Real Estate appeared first on ComplyAdvantage.

What is Simplified Due Diligence?

Simplified due diligence (SDD) is the lowest level of customer due diligence (CDD) that a financial institution can employ. It is a brief identity verification process that can be applied to eligible customers when the risk of money laundering or terrorist financing is deemed very “low”. It precedes standard due diligence – the most common level applied to low and medium-risk customers – and enhanced due diligence (EDD) – applied to high-risk customers.

Compared to higher levels of due diligence, SDD entails less intensive means of gathering information. Despite this, SDD must still respond to the four components of CDD outlined by the global financial crime watchdog, the Financial Action Task Force (FATF). These include:

• Customer identification and verification
• Beneficial owner identification and verification
• Understanding the purpose and nature of the relationship
• Ongoing monitoring

Who Qualifies for Simplified Due Diligence?

While every new prospective customer must undergo identity checks and verification, not every customer will qualify for SDD. Generally, the following customer types qualify for SDD because of their inherent low risk of ML/TF:

• Financial institutions that are subject to money laundering requirements, such as the European Union Anti-Money Laundering Directives (AMLDs)
• Entities that are accountable to a community institution and subject to appropriate check and balance procedures
• Public authorities that have a publicly available identity and transparent accounting practices
• Customers offering certain insurance policies, electronic money products, or pensions

However, the above list may vary depending on the jurisdiction, as not all countries permit SDD to be performed in the same way or under the same circumstances. In the EU, the Fourth Anti-Money Laundering Directive (4AMLD) noted that firms could no longer automatically apply SDD measures to a “pre-defined” list of customers. Instead, firms must now actively demonstrate low risk and provide robust rationale for using SDD. 

In Canada, firms can apply the “simplified identification method” to seven specific types of entities issued by Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), provided firms also record their grounds for considering there is a low risk of ML/TF. By contrast, New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Act 2009 defines 19 customer types eligible for SDD. 

When is Simplified Due Diligence Needed?

Of the 40 Recommendations provided by the FATF, Recommendation 10 focuses on CDD, which includes SDD. The FATF recommends that due diligence measures should be undertaken when:

• Establishing a business relationship
• Suspicion is raised about money laundering or terrorist financing
• The financial institution questions the adequacy of previously obtained customer identification data
• Carrying out occasional transactions above the designated threshold (USD/EUR 15,000)

In these instances, firms will often undertake due diligence measures to identify the account’s beneficial owner, obtain information on the intended purpose of the business relationship, and complete source of wealth (SOW) and source of funds (SOF) checks. But, if there is a proven low risk of ML/TF and the account relates to a particular type of financial institution or activity, firms may decide to undertake a simplified set of due diligence measures. 

The FATF provides a non-prescriptive list of instances when SDD may be required:

• A financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis
• A financial product or service provides appropriately defined and limited services to certain types of customers
• A household has an average monthly income less than a predetermined amount

When identifying lower-risk situations suitable for SDD, compliance staff should ensure the scenarios are consistent with the assessment of overall ML/TF risks identified on a country and company-wide level. 

The Compliance Team’s Guide to Customer Onboarding

Learn how to prioritize risk and effectively manage it in our 5-part training series for compliance professionals.

Download now

What are the Steps Involved in the SDD Process?

1. The first stage of SDD is known as the customer identification process (CIP). This occurs during the customer onboarding phase before a business relationship has been established. During this stage, firms must ensure the sources they use to identify their customers are reliable and independent to mitigate the risk of criminals being onboarded with expertly forged documents.

2. Once a customer has been identified, firms must then determine the level of due diligence to perform. This decision should be made in light of an organization’s risk appetite informed by its business-wide risk assessment, which should also form the basis of a firm’s policies and procedures. These policies should indicate the type of customers and industries a firm is willing to do business with.
When assessing whether SDD is the appropriate level of due diligence to perform, compliance teams should consider their firm’s risk ratings related to:

• Customer-type 
• Jurisdiction
• Occupation
• Products and services offered
• Account-type
• Ownership structure

3. If the customer is deemed low-risk across the factors listed above, a simplified, less detailed identity verification process can begin. At this stage, firms can use public information or rely on fewer documents to verify a customer’s identity. Beneficial owners may also be identified without seeking additional information or documents to verify their identities. The purpose and nature of a proposed business relationship can also be inferred from the nature/type of both the client and the desired product or service.

4. Once the customer’s identity has been verified and they have been successfully onboarded, firms must undertake ongoing monitoring measures to ensure the client remains low-risk. If any unusual activity is flagged during this stage that is not commensurate with the customer’s risk profile, firms may decide to employ greater levels of CDD.

What is the Difference Between SDD and EDD?

Making up both ends of the due diligence spectrum, SDD and EDD differ in many ways. The table below outlines where they diverge across each element of the know-your-customer (KYC) process.

Ultimately, effective CDD measures are built on a combination of expertise and technology. As customer risk scores and criminal threats evolve, firms must be prepared to be flexible with their due diligence process. While SDD measures are less time and resource intensive than standard due diligence or EDD, firms should still utilize autonomous systems that refresh entity profiles within minutes of a change, lest a customer’s risk profile changes and they are no longer eligible for SDD.

The post What is Simplified Due Diligence (SDD)? appeared first on ComplyAdvantage.

With this in mind, how do illegitimate chargebacks differ from legitimate ones, and what can firms do about it?

Legitimate and Fraudulent Chargebacks: Key Differences

Before classifying any illegitimate chargeback as fraudulent, firms should be aware that intent is often required to legally prove an event as fraud. But regardless of intent, illegitimate chargebacks involve the same kinds of behaviors and consequences, leading the industry to commonly refer to illegitimate and fraudulent chargebacks interchangeably. 

Beyond this, proving intent can be elusive. For practical purposes, then, this article will only consider two chargeback categories: legitimate and fraudulent. Nonetheless, firms should consult their legal and compliance departments to ensure their official classifications are appropriate.

Legitimate Chargebacks

The chargeback process is intended to protect customers from unauthorized or unfulfilled transactions. Generally, chargebacks can be submitted legitimately in several key situations. Under the Fair Credit Billing Act (FCBA), customers are supported in disputes with creditors under conditions that include:

• Billing errors
• Unauthorized charges
• Charges for goods that weren’t delivered

According to the FCBA, a customer has 60 days to dispute an unauthorized or incorrect charge in writing. For bank and debit accounts, the Electronic Funds Transfer Act (EFTA) provides similar protections for unauthorized EFTs. To qualify under the Act, a transaction must:

• Not have been made by the customer
• Be made by someone without authority to do so
• Be of no benefit to the customer

Under the EFTA, a transaction does not count as unauthorized if the customer knowingly gave the third party access to their card or account. However, customers remain protected if they were deceived as to the identity of the perpetrator or had already contacted their financial institution to revoke permission before the transaction occurred.

Friendly Fraud

Fraudulent chargebacks, sometimes known as friendly fraud, occur because a customer falsely claims a legitimate dispute reason. This might include claiming:

• A legitimate charge was unauthorized
• Received goods never arrived
• A billing error occurred when it did not 

Generally, firms must undergo a process that requires demonstrating legitimate grounds for a chargeback in order to win the case. If merchants have grounds to believe a chargeback was initiated for misleading or illegitimate reasons, they may challenge the process. So it’s important for firms to ensure they understand legitimate and illegitimate grounds for chargebacks to avoid unnecessary resource drain.

What are the Business Consequences of Chargeback Fraud?

Chargebacks can lead to significant business costs, from revenue losses to chargeback fees – up to $50 per chargeback, and sometimes more. Beyond this, some firms may feel compelled to blacklist merchants that receive too many chargebacks – or in some other way decline to do business with them, further impacting profits.

Outside direct costs to firms, fraudulent chargebacks can fuel further criminal activity, including money laundering and related financial crimes. This, in turn, contributes to the rising compliance risks firms around the world are facing.

According to one report, 90 percent of surveyed firms reported being impacted by chargeback abuse, and only a minority felt they effectively managed it. But effective fraud risk management is essential to firms wishing to stay at the forefront of the fight against financial crime. 

How Can Firms Detect and Prevent Chargeback Fraud?

The measures that help firms prevent chargeback fraud are part of a broader, robust risk management system. They include proper customer documentation and onboarding – especially customer screening, including KYC measures – enabling firms to know who they are doing business with in the first place. Connected with this, robust customer and transaction documentation will help firms compare dispute claims with the records on hand.

Still, some fraud will always slip through the cracks, and for that purpose, a solid transaction monitoring system is indispensable. Many perpetrators of fraudulent chargebacks are repeat offenders, so the use of machine learning and artificial intelligence can pinpoint patterns invisible to the naked eye. For example, thanks to identity clustering, an artificial intelligence overlay can detect subtle red flags which might slip under a human radar – but add up to pinpoint a fraudster’s concealed identity.

Fraud risks will always be a part of the landscape for financial services providers, but with proper tools and knowledge, firms can stop illicit activity in its tracks.

The post What is Chargeback Fraud? appeared first on ComplyAdvantage.

What is ACH Fraud?

ACH fraud occurs when funds are stolen through the ACH network. A criminal needs two things to carry out ACH fraud: 

• A bank account number
• A bank routing number 

With this information, they can transfer money from the victim’s account, either as a lump sum or as recurring payments. They can also make unauthorized payments for goods or services. The time delay with ACH payments is a key vulnerability that financial criminals exploit. 

How Common is ACH fraud? 

Although not the most widespread fraud method, ACH scams are increasing. In 2021, the Association For Finance Professionals found that the percentage of survey respondents reporting fraudulent activity via ACH debits increased from 34 percent in 2020 to 37 percent in 2021. 

Examples of ACH Fraud

ACH fraud tends to affect medium-sized banks, businesses, and schools. In September 2022, the Federal Bureau of Investigations (FBI) Cyber Division issued a notification relating to cybercriminals increasingly targeting healthcare

payment processors to redirect victim payments. In one case, a large healthcare company lost $840,000 in an ACH scam, where a hacker impersonated an employee and changed the ACH instructions. 

In addition to “insider employee fraud” typical examples of ACH scams include:

• Data breaches: Criminals often gain access to customer credentials via a data breach. In this scenario, fraudsters log into bank accounts with bought or stolen information from the dark web before withdrawing funds through the ACH network. 
• Email phishing ACH scams: When a customer clicks a link in a phishing email, which sends them to a malicious website that infects their computer with malware. Fraudsters can track the customer’s keystrokes and discover their banking credentials. This is also known as spear phishing.
• Check kiting: In this type of ACH fraud, criminals move money back and forth between accounts at different banks. When the transfer is approved by the clearing house, it looks like the money is in the account, but it has already been moved.
• Loss or theft of debit card: If the loss or theft of a debit card is not immediately reported, criminals can use this window of time to carry out an unauthorized ACH withdrawal.

Many of these methods reveal other information that can lead to identity fraud and/or account takeover fraud. In fact, the Financial Crimes Enforcement Network (FinCEN) has frequently highlighted the connection between ACH fraud and identity fraud, with money being illegally transferred via ACH transfer to accounts that were set up with stolen or fake identities. 

What is the Impact of ACH Fraud on Businesses?

The impact of ACH fraud can be costly for organizations in terms of remediation time and money, both of which can negatively affect relationships with customers and prospects. Indeed,  a 2020 merchant survey found that “avoiding organizations or services I don’t trust” was the top way consumers say they protect the privacy and security of their personal data online.

Furthermore, in our 2023 global compliance survey, more than one in three senior compliance professionals cited “reputational risk” as the factor most likely to drive change within their organization. This was a 6 percentage point rise from the previous year and was the only factor to see a year-on-year increase. And with global executives attributing 63 percent of their firm’s market value to its reputation, it’s easy to see why concern levels are so high. 

ACH fraud also increases the likelihood of chargeback fraud, which occurs when a consumer requests a refund (or chargeback) from the card issuer despite having received goods from a merchant. 

How to Detect ACH Scams

ACH fraud detection is essential for firms of all sizes across all sectors. Current trends in the ACH fraud detection space include: 

• Secure APIs: Application programming interfaces (APIs) allow firms to detect fraud faster and more efficiently as it enables two systems to communicate integrate with one another. For example, with ComplyAdvantage’s RESTful API, firms can improve their operational efficiency and reduce false positives with access to real-time data. 
• Biometrics: Various biometric types, known as physical, linguistic, and behavioral modalities, can aid firms detect ACH fraud as they help identify the actual human being that is interacting with a device or service. 
• Enhanced behavioral analytics: Behavioral analytics that ultize machine learning capabilities can help firms build an accurate picture of “expected” versus “unexpected” account behavior, so action be taken to mitigate risk in near to real-time.

When employing any of the above fraud detection solutions, firms must ensure they are calibrated in such a way that reflects their organization’s risk appetite. When adopting a risk-based approach, firms should consider the level of threat ACH fraud poses to their business and deploy solutions accordingly. Transaction monitoring tools should also be fine-tuned to detect specific ACH red flags, including

• ACH transactions taking place across different geographic areas
• Customers using a different device or account to their preferred choice
• Employees who are found breaking security protocols
• Customers showing signs of being phished
• Customers with a high rate of ACH chargebacks

How Can Companies Prevent ACH Fraud?

ACH fraud prevention measures used by businesses may include:

• ACH freeze barrier: This allows companies to block unauthorized transfers from a customer’s account.
• ACH fraud filter: This allows companies to filter between authorized and unauthorized debits and credits.
• Authorized user list: Customers can create a list of allowed regular transactions.
• Multi-factor authentication (MFA): Requiring customers to use MFA when logging in and making transfers.
• One-time payment (OTP) authorization: One payment is authorized at a time – this is also known as “positive pay”.

Company employees need to be fully trained in how to prevent ACH fraud. Compliance and fraud professionals must stay on top of new typologies and trends, as well as regulatory updates and in-house know your customer (KYC) policies.

Firms should also have strong security measures in place, for example using data encryption when storing and sending customer credentials – including credentials given over the telephone where calls are recorded. This information should never be stored locally.

The post What is ACH Fraud and How to Prevent It appeared first on ComplyAdvantage.

While many cases of return fraud are carried out by lone actors, according to the National Retail Federation (NRF), organized retail crime (ORC) is a burgeoning threat within the retail industry. With such collaborative forces at work, compliance staff need to be aware of the red flag indicators of return fraud and how it can best be prevented.

What is Return Fraud?

Return fraud is a type of payment fraud that abuses a merchant’s return policy. It involves returning an item to a retailer that does not qualify for a return or refund, such as:

• Stolen merchandise
• Items that have already been used
• Items purchased from a different retailer
• Returning counterfeit items

Also known as return abuse, return fraud is regarded as one of the most common retail fraud typologies and can take place both online and in-store. 

What is the Difference Between Return and Refund Fraud?

While return fraud centers around taking advantage of customer-friendly return policies, refund fraud involves making false claims about an item to receive a refund without returning the item in question. 

The revenue losses for the two different fraud types also vary. With return fraud, merchants lose the revenue from the initial sale, but sellers dealing with refund fraud also lose the revenue from any potential resale. 

What is the Impact of Return Fraud?

While honest mistakes do happen, according to the NRF, “retailers incur $166 million in merchandise returns for every $1 billion in sales” – and lose $10.40 to return fraud for every $100 of returned merchandise accepted. This equates to an estimated $24 billion in losses per year.

Incidents of return fraud are particularly high during holiday seasons: 25 percent of annual product returns occur between Thanksgiving and New Year’s Day. According to credit reporting agency TransUnion, e-commerce fraud attempt rates between Thanksgiving and Cyber Monday in 2022 were 82 percent higher globally than the rest of the year.

Not only is return fraud a costly problem for businesses, it can also put customers at risk and damage an organization’s reputation. If a business tightens its policy to crack down on fraudulent activity, legitimate customers may become wary of making purchases if they believe their return may not be accepted. This can result in fewer sales and a loss of trust in the brand. 

What are the Types of Return Fraud?

One of the reasons return fraud can be difficult to detect is that fraudsters employ numerous tactics to carry out their schemes. Some of the most common return fraud types include:

• Empty box scams: When fraudster customers falsely claim they have received an empty box instead of the intended merchandise and claim a refund. This fraud type can also refer to dishonest sellers who deliberately ship out empty boxes only to claim that it is the buyer’s word against theirs.
• Wardrobing: When consumers buy items, use them once, and return them later. This common type of return fraud has caused contention in the past, with many consumers believing it to be a harmless action. 
• Price switching: This type of scam refers to consumers that buy an item at one price before switching the price tag with a more expensive item and returning it for a refund. This fraud type is most prevalent in physical stores.
• Opportunistic: This type of return fraud occurs when consumers choose – either deliberately or unwittingly – the wrong reason for a return on a form. This isn’t necessarily a pre-meditated fraud type as many consumers are unaware that choosing the incorrect “reason” will affect the merchant.
• Bricking: This type of return fraud is typical with electronic devices. It occurs when a buyer returns an item after dismantling the product and removing its valuable parts. The fraudster will then usually re-sell the parts for a profit, and keep the refund fee issued to them by the merchant.
• Seller sabotage: When sellers buy all the items from a competitor and send them back as late as possible to deplete the competitor’s inventory. Sometimes counterfeit items are returned in the original packaging to damage the competitor’s reputation with legitimate buyers. 
• Stolen merchandise return: This return fraud type occurs when a fraudster uses a stolen credit card to buy an item online before returning the stolen goods in-store for a refund. If the refund is completed on a different card or given in cash, this is an example of placement.

How to Detect Return Fraud?

Since the risk of exposure to fraud grows as companies scale, it is important to implement innovative solutions that can detect fraud in real-time. Measures to proactively detect return fraud include:

• Using machine learning and behavioral analytics to identify anomalistic behavior that indicates various types of fraud.
• Analyzing data from past return fraud cases allows retailers to identify behavioral patterns or red flags specific to their business. This type of information can help sellers spot potential scams and take the appropriate risk-based action to prevent losses.
• Educating and training staff to be able to recognize the red flags surrounding return fraud and explaining what a “normal” vs “abnormal” number of returns looks like.

How to Prevent Return Fraud?

While steps can be taken to prevent return fraud through educating employees, verifying customer identities, and updating policies, companies that take an AI-driven approach are much more likely to stay one step ahead of fraudsters. 

To effectively mitigate the risk of return fraud, firms should:

• Ensure their anti-fraud tools can detect common fraud scenarios and project future risks to help teams anticipate threats. This can be done efficiently and cost-effectively by implementing an AI overlay to existing tools as it does not require a total system overhaul.
• Implement a solution that offers a high level of configurability and provides the ability to build custom rule sets to prevent fraud types that pose a particular threat. 
• Employ a tool that fine-tunes alerts across various payment chains and allows firms to respond to changing fraud risks in near real-time. 

The post What is Return Fraud and How to Prevent It appeared first on ComplyAdvantage.

Common Red Flags

Customer behavior changes are often a core indicator of fraud. For example, in the case of elder financial abuse, the American Bankers Association (ABA) identified 14 red flags to watch out for. These include:

• Transactions suddenly completed for the customer by other individuals – without required documentation (even if they are loved ones or caretakers)
• Account information changes – such as statements sent to addresses not on file for the customer
• Transactions much larger than usual – or that suddenly exceed available funds

Other crimes are more sophisticated, such as account takeover (ATO) fraud. In this situation, a fraudster uses details obtained through hacking or social engineering to gain access to a customer’s account and funds. They then attempt to behave as though they were the customer to avoid detection. Despite ATO fraud’s complexity, certain patterns are commonly visible. For example, changes in a customer’s login behavior could indicate someone else (or even a bot) is attempting to gain access. Other red flags could include changes in typical user routines or IP addresses that don’t match the customer’s normal location.

Similar patterns may occur in the case of digital payment or credit card fraud. In each case, broad changes in historical behavior – like transaction locations, velocities, or amounts – can alert analysts and alerting systems.

Complex Behaviors: Invisible Patterns

Yet many behavioral changes are much subtler, requiring a more granular approach. These changes create atypical patterns that people close to the customer would notice, but anyone else might miss. For example, certain customer habits connect to their psychology, such as times of day for shopping, or saving and investment styles. In particular, criminals committing ATO fraud specialize in mimicking the real customer’s identity. Often, then, the strongest indicator of fraud is a complex combination of signals that, alone, would seem weak.

Conventional rules often struggle to identify such nuanced behavioral changes. And analysts don’t have time to learn the nuances of how every customer behaves.

Using Artificial Intelligence in Behavioral Analytics

How, then, can a fraud prevention team dealing with large volumes ofcustomer profiles detect patterns that might be invisible to those unfamiliar with individual customers’ personalized patterns? How can individual analysts hope to put together complex, weak signals that might fail to trigger traditional rules?

Such hidden and interconnected behavioral anomalies require solutions with enough power to detect patterns at a large scale. Using machine learning, behavioral analytics can connect seemingly unrelated data points in a  customer’s profile – even when faced with multiple accounts and distinct patterns. Armed with powerful tools, fraud and risk teams can detect patterns invisible to the naked eye, helping them stay ahead of complex fraud typologies.

The post Fraud Prevention: How AI Helps Track Changes in Customer Behavior appeared first on ComplyAdvantage.

Before the model, inconsistent fraud classifications made it harder for organizations to understand or effectively respond to complex fraud trends. For example, the Federal Reserve noted a lack of clear distinction between check fraud and ACH fraud. Other types of fraud also lack consensus: some organizations classify identity theft and credit card theft together, while others separate them. 

To solve this problem, the Federal Reserve collaborated with industry experts to create a consistent language through a robust and interactive resource for defining fraud: the FraudClassifier Model. Because of its strong benefits, ComplyAdvantage has chosen this model to underpin its approach to fraud and fraud prevention.

How Does the FraudClassifier Model Work? 

For collaborative analytics to be effective, all parties must agree on key definitions related to fraud types, methods, and tactics. The FraudClassifier Model provides these standardized definitions, enabling financial institutions to implement a more targeted and effective strategy when responding to complex fraud types. 

The model also includes authorized parties in its fraud classification – an entity with the right to initiate a payment – whereas traditional categorizations tend only to consider unauthorized parties – an entity without the right to initiate a payment. This is important because many fraud events involve bad actors deceiving or coercing an authorized party into making a payment, or an authorized party initiating a payment with intent to defraud. Without this extended definition, significant fraud trends could be overlooked.

The classifier model asks respondents three successive questions. Each further specifies the nature of a given fraud event:

1. Who initiated the payment? The initiator is either classified as an authorized party or an unauthorized party.
2. How was the fraud executed? For example, the initiator could have been manipulated if they are the victim – or may have hacked an account if they’re the fraudster.
3. What tactics were used? This is the most detailed classification level, identifying exactly how the fraudster succeeded in committing the fraud (for example, through a relationship scam.)

Benefits of Adopting the FraudClassifier Model

In creating the model, FraudClassifier’s creators intended to offer several significant advantages to the fight against fraud. The industry not only confirmed these benefits but also pointed out several others. Validated benefits include:

• A holistic understanding of fraud – The Federal classifier model recognizes that unified fraud trends can affect various payment methods. To successfully identify trends shared by diverse events, it classifies fraud simply: first establishing whether or not the initiator was authorized, and then determining what tactics were used.
• Common fraud vocabulary – Without shared terminology, collaborative fraud analysis is virtually impossible. The model provides an intuitive, shared framework allowing cooperating organizations to use standard definitions and language.
• More collaborative data – The Federal Reserve seeks to use this model to allow better fraud data comparison across the industry. The common framework also supports information-sharing for collaborative analytics.
• Enhanced grasp of fraud trends – The model offers improved insights into fraud trends. These, in turn, better support risk-based fraud analysis.
• Stronger fraud countermeasures – Beyond analysis, the model’s insights allow risk management teams to implement more effective fraud-fighting responses.
• Better-educated customers – A well-informed firm is better able to educate its customers. And informed customers can better defend themselves against fraud.

The benefits of adopting the FraudClassifier Model are substantial, but it is important to clarify that such adoption is entirely voluntary. The model is intended as a powerful tool and resource that does not come with any regulatory requirements. That said, adopting it can better enable firms to stay proactively compliant and prevent unnecessary losses to fraud. It also puts firms in a position to join industry leaders in contributing to a stronger industry-wide understanding of fraud trends – bolstering the global fight against fraud and money laundering.

The post What is the FraudClassifier Model? appeared first on ComplyAdvantage.