What is Simplified Due Diligence?

Simplified due diligence (SDD) is the lowest level of customer due diligence (CDD) that a financial institution can employ. It is a brief identity verification process that can be applied to eligible customers when the risk of money laundering or terrorist financing is deemed very “low”. It precedes standard due diligence – the most common level applied to low and medium-risk customers – and enhanced due diligence (EDD) – applied to high-risk customers.

Compared to higher levels of due diligence, SDD entails less intensive means of gathering information. Despite this, SDD must still respond to the four components of CDD outlined by the global financial crime watchdog, the Financial Action Task Force (FATF). These include:

• Customer identification and verification
• Beneficial owner identification and verification
• Understanding the purpose and nature of the relationship
• Ongoing monitoring

Who Qualifies for Simplified Due Diligence?

While every new prospective customer must undergo identity checks and verification, not every customer will qualify for SDD. Generally, the following customer types qualify for SDD because of their inherent low risk of ML/TF:

• Financial institutions that are subject to money laundering requirements, such as the European Union Anti-Money Laundering Directives (AMLDs)
• Entities that are accountable to a community institution and subject to appropriate check and balance procedures
• Public authorities that have a publicly available identity and transparent accounting practices
• Customers offering certain insurance policies, electronic money products, or pensions

However, the above list may vary depending on the jurisdiction, as not all countries permit SDD to be performed in the same way or under the same circumstances. In the EU, the Fourth Anti-Money Laundering Directive (4AMLD) noted that firms could no longer automatically apply SDD measures to a “pre-defined” list of customers. Instead, firms must now actively demonstrate low risk and provide robust rationale for using SDD. 

In Canada, firms can apply the “simplified identification method” to seven specific types of entities issued by Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), provided firms also record their grounds for considering there is a low risk of ML/TF. By contrast, New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Act 2009 defines 19 customer types eligible for SDD. 

When is Simplified Due Diligence Needed?

Of the 40 Recommendations provided by the FATF, Recommendation 10 focuses on CDD, which includes SDD. The FATF recommends that due diligence measures should be undertaken when:

• Establishing a business relationship
• Suspicion is raised about money laundering or terrorist financing
• The financial institution questions the adequacy of previously obtained customer identification data
• Carrying out occasional transactions above the designated threshold (USD/EUR 15,000)

In these instances, firms will often undertake due diligence measures to identify the account’s beneficial owner, obtain information on the intended purpose of the business relationship, and complete source of wealth (SOW) and source of funds (SOF) checks. But, if there is a proven low risk of ML/TF and the account relates to a particular type of financial institution or activity, firms may decide to undertake a simplified set of due diligence measures. 

The FATF provides a non-prescriptive list of instances when SDD may be required:

• A financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis
• A financial product or service provides appropriately defined and limited services to certain types of customers
• A household has an average monthly income less than a predetermined amount

When identifying lower-risk situations suitable for SDD, compliance staff should ensure the scenarios are consistent with the assessment of overall ML/TF risks identified on a country and company-wide level. 

The Compliance Team’s Guide to Customer Onboarding

Learn how to prioritize risk and effectively manage it in our 5-part training series for compliance professionals.

Download now

What are the Steps Involved in the SDD Process?

1. The first stage of SDD is known as the customer identification process (CIP). This occurs during the customer onboarding phase before a business relationship has been established. During this stage, firms must ensure the sources they use to identify their customers are reliable and independent to mitigate the risk of criminals being onboarded with expertly forged documents.

2. Once a customer has been identified, firms must then determine the level of due diligence to perform. This decision should be made in light of an organization’s risk appetite informed by its business-wide risk assessment, which should also form the basis of a firm’s policies and procedures. These policies should indicate the type of customers and industries a firm is willing to do business with.
When assessing whether SDD is the appropriate level of due diligence to perform, compliance teams should consider their firm’s risk ratings related to:

• Customer-type 
• Jurisdiction
• Occupation
• Products and services offered
• Account-type
• Ownership structure

3. If the customer is deemed low-risk across the factors listed above, a simplified, less detailed identity verification process can begin. At this stage, firms can use public information or rely on fewer documents to verify a customer’s identity. Beneficial owners may also be identified without seeking additional information or documents to verify their identities. The purpose and nature of a proposed business relationship can also be inferred from the nature/type of both the client and the desired product or service.

4. Once the customer’s identity has been verified and they have been successfully onboarded, firms must undertake ongoing monitoring measures to ensure the client remains low-risk. If any unusual activity is flagged during this stage that is not commensurate with the customer’s risk profile, firms may decide to employ greater levels of CDD.

What is the Difference Between SDD and EDD?

Making up both ends of the due diligence spectrum, SDD and EDD differ in many ways. The table below outlines where they diverge across each element of the know-your-customer (KYC) process.

Ultimately, effective CDD measures are built on a combination of expertise and technology. As customer risk scores and criminal threats evolve, firms must be prepared to be flexible with their due diligence process. While SDD measures are less time and resource intensive than standard due diligence or EDD, firms should still utilize autonomous systems that refresh entity profiles within minutes of a change, lest a customer’s risk profile changes and they are no longer eligible for SDD.

The post What is Simplified Due Diligence (SDD)? appeared first on ComplyAdvantage.

For the third consecutive year, there was a pronounced rise in the number of firms telling us they choose to incur AML fines and make violations “all the time.” This number, 61 percent in 2020, had risen to 79 percent by 2022. 

The reasons behind this trend are likely complex, but raise the question: Are firms becoming desensitized to the threat of fines? In this article, we look at some of the top AML fines in 2022 and consider the type and nature of the violations that earned the steepest financial penalties. 

AML Fines in 2022

In 2022, global fines for failing to prevent money laundering and other financial crime surged more than 50 percent, with many firms, particularly in the UK and the US, committing repeat infractions. 

While fines are typically issued several years after AML failings occur, the top AML fines incurred in 2022 occurred across the following sectors:

1. Trading and Brokerage – $6 billion+ in fines
2. Banking – $2 billion+ in fines
3. Gambling – $71.4 million+ in fines
4. Cryptocurrency – $30 million in fines
5. Asset Management – $2 million+ in fines

Trading and Brokerage – $6 billion+ in fines

In 2022, the Securities Exchange Commission (SEC) and the Financial Conduct Authority (FCA) ordered over $6 billion worth of fines and restitution payments to various trading and brokerage firms.

One of the fines was issued as a result of a long-running fraud scheme that involved concealing the immense risks of a complex options trading strategy. In this case, the SEC discovered that several senior staff members had misled institutional investors to believe their funds were protected against any sudden stock market crashes by hedges that were implemented as part of the fund’s investment portfolio.

However, when the cost of the hedges rose significantly, the senior officials secretly purchased less effective and cheaper hedges that provided a reduced level of protection. Investors were also provided with altered documents that concealed the true risk of the funds’ investments, including the fact that cheaper hedges had been bought. However, the economic volatility of COVID-19 exposed the products’ true risk, resulting in the loss of over $5 billion in investor funds. Following the investigation, the SEC issued a $1 billion fine and ordered the investment firm to pay over $5 billion in restitution to victims in light of the firm’s failure to conduct effective oversight and verify investment activities. 

Additional AML infractions from investment firms were penalized by the FCA. One firm was fined over £2 million for failing to implement adequate procedures, systems, and controls to mitigate the risk of being used to facilitate fraudulent trading. The financial watchdog also discovered a circular pattern of purported trades, which appeared to have been carried out to allow tax reclaims to be withheld in multiple European countries. 

Banking – $2 billion+ in fines

Bank AML fines in 2022 reached far and wide across the globe, totaling over $2 billion in civil monetary penalties. In one of the largest fines of 2022, a European bank was found to have insufficient transaction monitoring of high-risk customers and inadequate enhanced due diligence (EDD) measures. The bank also made fraudulent representations to other international banks, claiming their deficient AML systems were actually effective.  

The FCA also fined several banks for failing to conduct sufficient checks for money laundering and terror financing, while processing deposits from customers in high-risk countries. In one case, the FCA noted that a bank had also failed to undertake the required checks for some politically exposed persons (PEPs) and had inadequate compliance staff to perform the work required. 

The Financial Crimes Enforcement Network (FinCEN) also issued a series of hefty fines in 2022, including a $140 million civil money penalty against a bank in light of it willfully failing to implement and maintain an AML program that met the minimum requirements of the Bank Secrecy Act (BSA). FinCEN also noted that the bank failed to accurately and timely report thousands of suspicious transactions.

Gambling – $71.4 million+ in fines

The gambling sector saw an onslaught of AML fines in 2022, with the Australian Transaction Reports and Analysis Centre (AUSTRAC) issuing a large fine to an entertainment group that permitted its customers to move money through payment channels that were non-transparent and involved high money laundering and terrorist financing risks. According to the regulator, the group also failed to identify the source of funds (SOF) moving through these channels or whether there was a risk that the source of funds was illicit.

The UK Gambling Commission issued its largest fine to date in 2022 after an investigation revealed money laundering and social responsibility failings. Some of the AML compliance failures included:

• Allowing customers to deposit £40,000 before carrying out SOF checks
• Not identifying which documents should be requested as part of SOF checks
• Accepting verbal assurances from customers regarding income and being reliant on open-source information to validate SOF

Cryptocurrency – $30 million in fines

2022 also saw the New York State Department of Financial Services (NYDFS) announce a $30 million financial penalty for significant crypto-related AML, cybersecurity, and consumer protection violations. Marking the NYDFS’ first-ever crypto-sector enforcement, the firm’s AML failings included:

• Having an inadequately staffed compliance program
• Failing to swiftly transition from a manual transaction monitoring system that was inadequate given the company’s size, customer profiles, and transaction volumes
• Not devoting sufficient resources to address risks specific to the firm

Additionally, the NYDFS found critical failures in the firm’s cybersecurity program. The program did not fully address the firm’s operational risks, and some policies within the program did not comprehensively comply with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations. 

Asset Management – $2 million+ in fines

European regional regulators issued various fines to asset management firms in 2022, specifically those that failed to monitor their clients and promptly report any suspicious activity to a Financial Intelligence Unit (FIU). In one case, the Netherlands Authority for the Financial Markets (AFM) discovered a firm had not appropriately classified some of its clients into risk categories. Consequentially, it was found that of the company’s 250,000 plus accounts, only two clients had received the risk classification “provisionally unacceptable.”

AML Violations With the Biggest Penalties

In 2022, financial institutions were fined over $8 billion for AML-related infractions, bringing the gross amount of AML fines since the global financial crisis (2007-2008) to an estimated $56.1 billion. In light of the examples listed above, the violations that received the biggest penalties leaned toward repeated violations and failure to effectively calibrate AML measures with a firm’s risk profile, including:

• Deficient customer due diligence (CDD) processes 
• Failure to monitor politically exposed persons (PEP) and high-risk entities
• Inadequately staffed compliance programs
• Insufficient SOF and source of wealth (SOW) checks

In each case, the failures above reiterate that in order to effectively monitor a firm’s customers, they need to know who their customers are. 

Upcoming AML Regulations in 2023

According to our global compliance report, when asked which area of their compliance function would be at risk in an audit, 48 percent of firms (the highest proportion) told us it would be their knowledge of regulations. To ensure future audits go as smoothly as possible, compliance staff should be aware of the following upcoming AML regulations in 2023:

• The Financial Action Task Force (FATF) will continue to work towards the priorities set out by the new Singapore presidency in July 2022. Compliance staff can expect upcoming regulations relating to strengthening asset recovery, countering illicit finance associated with cybercrime, and increasing the effectiveness of global AML measures.
• The US will continue focusing on three core themes, including strengthening laws and regulations to tackle illicit financial flows; modernizing, building, and enhancing regulatory and enforcement frameworks, particularly in the crypto space; and targeting wrongdoers who seek access to the US financial system to launder the proceeds of crime. 
• The European Union will continue to overhaul its AML/CFT regulations as the AML package moves through the EU governance process. Some additional initiatives from the European Union likely to come to light in 2023 include new measures targeting environmental crime, a strategy to address de-risking, and action on rising numbers of cross-border money laundering cases.

Explore more by downloading our Regional Regulatory Trends report today.

How to Avoid AML Fines in 2023

Given that 79% of our survey respondents said they choose to incur AML fines and make violations “all the time,” it is clear that many firms are experiencing “enforcement fatigue.”

According to Iain Armstrong, Regulatory Affairs Specialist at ComplyAdvantage, compliance officers will need to keep their businesses focused on good outcomes by emphasizing the human, as opposed to financial, cost of financial crime more than ever. Indeed, firms should not be complacent about the longer-term reputational effects of widely-publicized fines and enforcement actions, particularly with the oldest of the millennial generation starting to enter middle age.

To mitigate the risk of incurring AML fines in 2023, firms should:

• Implement a transaction monitoring solution that screens in real-time and can be configured according to different risk appetites for various business flows 
• Enhance customer screening measures to streamline onboarding processes through automation and exceed regulatory requirements 
• Access real-time global coverage with robust watchlists and sanctions screening software
• Provide thorough training to compliance staff on AML requirements, including reporting obligations, sanctions/asset-freezing measures, and conducting adequate SOF and SOW checks 

The post Top AML Fines in 2022 appeared first on ComplyAdvantage.

While all of these are important, one often overlooked factor is implementation. How vendors implement their clients’ AML programs is critical. A slow implementation process risks undermining the customer experience and delaying the roll-out of new products and services. Poor support over time can become a chronic issue weighing compliance teams down if, for example, the ability to add new rules and capabilities is impacted.

So how can firms assess what ‘good’ looks like when it comes to implementation? Here are five top considerations.

Implementation of Anti-Money Laundering Software: Five Top Considerations

1. Pre-built rules and collateral

While onboarding times will vary based on the complexity of the implementation and specific client requirements, there are steps vendors can take to make this smoother. For AML solutions like transaction monitoring and screening, one important feature compliance teams should look for is ‘plug and play’ capabilities that make the set-up process more efficient. Offering a pre-built library of rules and typologies is one good example of this. In addition to demonstrating what a best practice program looks like, these libraries can help teams get set up quickly, without the need to build everything from scratch. 

In addition to pre-built rules, firms should ask vendors about the collateral they provide to support implementation. This may include a rule library, API guide, dummy data for testing, and more. All of these help clients to get started more quickly and mean they can get up-to-speed in their own time.

Vendors should be realistic about the length of the implementation process, though. With cost-effective solutions and the right resources prepared on the client side, implementation times can be as short as two weeks.

2. A personalized approach

‘Out of the box’ features such as a REST API need to be supported by in-house technical and personnel skills to manage complex, customized implementation requests. Some clients will inevitably have bespoke rule sets they need to manage or particular challenges with the structure or quality of their data. This must be considered upfront to ensure the fraud and AML detection system works effectively post-implementation. To manage this complex array of requests, firms should ask vendors how they manage the implementation process. A best practice approach is for each client to have a dedicated implementation consultant who will support them through to go-live, ensuring continuity of service and a speedy response to inevitable questions and challenges. Ideally, this consultant will be flexible about working remotely or on-site with the customer, based on what will enable them to progress more effectively.

TransferMate, one of the world’s leading B2B payments infrastructure-as-a-service companies, enables individuals to make seamless, cost-effective cross-border payments. But operating across more than 201 countries and 141 currencies means the risks and typologies their team must monitor for are not always captured by pre-built rule sets. During its implementation process with ComplyAdvantage, the two teams communicated almost daily. Alex Clements, Global Head of Financial Investigations and Monitoring at ComplyAdvantage, described this as a “one team, two organizations” approach. The company worked with ComplyAdvantage implementation consultants to define its data model and scope out the bespoke rules it wanted to build for transaction risk management. ComplyAdvantage used its industry expertise to help TransferMate achieve its goals, sharing ideas and best practices.

3. Strong industry knowledge

Some regtech vendors will also specialize in supporting certain markets like digital banking or payments. Others have a broad suite of clients, with implementation and customer success teams dedicated to each. While both approaches can make for a successful business, firms should ensure their vendor has experience with relevant firms in their space. This will enable greater out-of-the-box thinking when solving inevitable challenges and roadblocks. This also empowers implementation teams to be proactive, offering creative solutions that can help firms get to their intended solution more quickly or efficiently than they had anticipated.

Hampshire Trust Bank (HTB), a specialist bank based in the UK that provides business finance, mortgage, and development finance solutions, has compliance challenges unique to its business model. By working with an experienced implementation team at ComplyAdvantage, the bank is able to, for example, look at how to optimize the application of its transaction monitoring rules for specific customer segments that may operate in particular ways.

4. Sandboxing and an iterative mindset

From day one of implementation, the best vendors will have a ‘test and iterate’ mindset. This should begin with a sandbox, enabling integration to start immediately. A sandbox approach also means implementation can be phased, with deliverables that are ready starting immediately while work on other areas of the solution is ongoing.

The intersection of implementation and customer success is also critical. Customer success managers will be their clients’ front-line representatives when explaining and working through the roll-out of new vendor features, or when managing client requests for new capabilities. A knowledgeable and engaged customer success manager can also proactively recommend optimizations based on their experience working with other similar clients. As Robin Jeffrey, Head of Transformation at HTB explained about working with ComplyAdvantage: “Other products we reviewed on the market were more rigid. ComplyAdvantage enables us to focus on continual improvement, adapting the platform as we learn and as the world evolves.”

5. Agile to changing risks

It’s also important for firms to remember that implementation is not a ‘one-and-done’ process. Compliance decision-makers should evaluate firms’ ability to support changes over time as new risks emerge. Look for a firm that offers features like the ability to build new rules quickly without the need to raise a time-consuming support ticket. Waiting for a vendor’s IT team to implement a change to risk thresholds based, for example, on new information from law enforcement could lead to criminal behavior going undetected for weeks, or even months.

Overseas payments and foreign exchange provider Lumon found itself needing to react quickly in the early stages of the pandemic when it saw a sudden increase in COVID-related investment fraud. “ Within 48 hours of identifying this, Lumon developed and deployed new rule sets to combat the threat and prevent more customers from falling victim to scams” explains Alessio Giorgi, the firm’s Head of Compliance and MLRO.

The post Anti-Money Laundering Program: Why Good Software Implementation Is Critical appeared first on ComplyAdvantage.

With global executives attributing 63 percent of their company’s market value to its reputation, according to KRC Research, this is perhaps unsurprising. But an awareness of the potential for fraud and money laundering to impact a firm’s reputational risk is one thing – mapping out a proactive strategy to mitigate those risks and identify emerging threats is a different proposition. So what specific anti-money laundering (AML) reputational risk considerations should firms be aware of throughout 2023?

1. Economic volatility  

According to the World Bank Group, growth in advanced economies is projected to slow from 2.5 percent in 2022 to 0.5 percent in 2023. Over the past two decades, economic downturns – most notably the Great Recession from 2007-9 – have foreshadowed a rise in financial crime. Our survey indicates firms expect this to happen again, with 59 percent preparing for an increase in financial crime. Economic volatility and pressure could even drive a broader increase in risk-taking behavior from previously legitimate actors, some of which will cross the line into financial crimes.

The challenge for compliance teams here is twofold. If firms over-adjust their risk management policies, they risk frustrating existing customers and impacting growth, making it hard to onboard new customers. At the same time, if firms don’t adapt, they may face regulatory enforcement action and the negative media coverage that results from this. 

To effectively balance and manage reputational risks associated with economic volatility, firms should be proactive in enhancing their ability to risk-assess customers to reduce the probability that they will inadvertently onboard a criminal. This will also improve compliance teams’ ability to detect unusual behavioral patterns in existing customers. According to our Regulatory Affairs Practice Lead, Iain Armstrong, this could involve more firms adopting unified platforms for initial and perpetual know your customer (KYC), complemented by more effective identity and verification (ID&V) tools. 

2. Ransomware

Ransomware has become the biggest cybersecurity threat facing financial institutions across the globe today. An analysis published by the Financial Crimes Enforcement Network (FinCEN) showed that, compared to 2020, reported ransomware incidents in the second half of 2021 increased by more than 50 percent. 

According to research company Gartner, ransomware will have infected 75 percent of all firms by 2025, with annual damage costs expected to reach $265 billion by 2031. In our survey, firms have selected cyber security as their biggest compliance-related pain point for the last three years, with 53 percent saying so in 2022. This suggests that many firms are aware of the need to ensure their cyber defenses, data hygiene, and training programs are kept under continuous review so they can rapidly adapt to the shifting threats as effectively as possible. 

Familiarity with the latest behaviors, and any specific forms of ransomware targeting their sector, will be critical to protecting a firm’s customers and reputation. Given the intersection of ransomware with crypto, firms should take extra care with their training and risk management practices relating to crypto-ransomware attacks.

2. Environmental crime

International concern about environmental crimes and wildlife trafficking soared in 2022, reflecting the threat posed to food security, political stability, conflict, and forced migration. In our survey, when asked which predicate offenses were most important to their organizations, more than one in four selected environmental crime, making it one of the top selected offenses.

Some of the growth in demand driving environmental and wildlife crimes can be attributed to the easing of pandemic restrictions, which has made activities like poaching easier. These types of crime are seen by criminals as having an attractive risk-reward ratio in that the penalties tend to be lower than many other predicate offenses, while the rewards can be just as high if not higher. Policymakers and regulators globally are taking note. In November 2022, the European Commission adopted a revised EU Action Plan to end the illegal wildlife trade. Its goals include tackling the root causes of wildlife trafficking, strengthening legal frameworks, more effective regulatory enforcement, and improving partnerships.

Coinciding with these factors is a growing public consciousness about the importance of conserving the environment and the desire to work with ethical brands that match their values. Combined, this creates a significant reputational risk for firms on multiple fronts if they are not proactive in 2023. To mitigate this risk, firms should consider enhancing their transaction monitoring scenarios and rules in light of their growing understanding of how environmental crime intersects with other types of financial crime. Developing an  Environmental, Social, and Governance (ESG) program and establishing internal controls for ESG data and reporting will also be essential for firms seeking to minimize the risk of greenwashing claims. 

3. Crowdfunding 

This year our survey asked about using decentralized finance (DeFi) platforms to support extremist political groups for the first time. 87 percent of respondents said they’d seen an increase in the use of these platforms to fund extremism, with 31 percent believing the growth to be “significant.” 

Events such as the 2022 protests across Ottawa and US-Canada border crossings fuelled this growing concern. On February 4th, 2022, GoFundMe closed a campaign supporting the “Freedom Convoy” due to concern it had become an “occupation” and amidst widespread reports of violence. Crowdfunding has also supported Islamic State (IS) operatives in Syria. Reporting indicates family members of young men trapped in Syrian camps have attempted to use the Telegram messenger service to “bring them to safety.” 

Pertinent to crowdfunding platforms, banks, and other financial institutions that support them, the risk factors associated with DeFi platforms should be managed through robust KYC measures, such as enhanced due diligence (EDD). Compliance teams should also ensure they are aware of emerging regulations in the cryptocurrency and crowdfunding space to ensure they have adequate, effective, scalable financial crime control solutions. Failure to keep up with regulations exposes firms to financial crime risks. 

4. Data 

Amidst challenges related to managing customer data, increasing regulatory expectations, and competitive pressure, our survey showed that firms are increasingly focused on data and organizational transformations. 

39 percent of firms said digitally transforming legacy systems was their most significant compliance-related pain point, a two percentage point increase on 2021 and 6 percentage points higher than in 2020. Furthermore, firms also cited “relevancy” as a critical challenge concerning data. Specifically referring to data being stored in the correct categories, 38 percent of firms said this was their organization’s most significant pain point alongside compiling global data. Not only does this represent a seven percentage point increase from 2020, but it also correlates with the growing concerns about legacy systems – as good data hygiene is only feasible when systems can support it.

Considering the high percentage of firms focusing on legacy system updates, firms that have not yet made a similar commitment to transformation risk building up a backlog of alerts that could impede their ability to act quickly in the event of any suspicious activity. This, in turn, could lead to enforcement action by regulators. On a day-to-day basis, firms also risk slowing customer onboarding and impeding the ability of customers to process transactions and manage their accounts effectively. 

The post 5 AML Reputational Risk Considerations for 2023 appeared first on ComplyAdvantage.

This year, 87 percent of survey respondents said they’d seen an increase in the use of these platforms to fund extremism, with 31 percent believing the growth to be “significant.” In a report issued on March 1, 2022, the US Treasury explained how domestic extremists have used legal fundraising methods to support their activities, making them harder to detect. The Treasury also highlighted the pandemic’s role in making these platforms “a necessity rather than a convenience.” 

3 Ways Firms Can Manage Crowdfunding Risks

Alia Mahmud, Regulatory Affairs Specialist at ComplyAdvantage, pointed out that “many crowdfunding platforms have been caught short by the surging demand for their services. Crowdfunding, in conjunction with cryptocurrencies and social media, increases the risks of terrorist financing by allowing bad actors to utilize the reach of crowdfunding platforms and crypto asset technologies to gain support from followers and receive funds.”

Mahmud emphasized three practical areas firms can consider in response to this trend.

1. Study Global Crowdfunding Regulations

Mahmud urges “compliance officers in firms offering decentralized finance services” to educate themselves regarding “emerging regulations in the cryptocurrency and crowdfunding space.” The goal, she says, is to “ensure they have adequate, effective, scalable financial crime control solutions in place.”

What might this look like in practice? Firms should become familiar with global regulatory trends such as Canada’s crowdfunding AML legislation and responses to crypto from governments in Singapore, the United Kingdom, the United States, France, and other key players. And Mahmud recommends a particular focus on the European Union’s new crowdfunding regulations. The EU updated that legislation in 2022, requiring firms to assess business continuity risks for outsourced services. This is especially relevant in a risk-management context, as financial crime controls are considered critical and are often provided by third-party vendors. 

In light of this amendment, firms should develop a robust business continuity plan to mitigate the risk of critical failures by third-party providers, ensuring, for example, the continuity of payment services. 

2. Align Crowdfunding Transaction Monitoring with Financial Crime Trends

As firms ground their risk assessments in sound regulatory knowledge, Mahmud urges them to focus especially on transaction monitoring. Crowdfunding service providers (CSPs) should tailor their “rules to the unique typologies and behaviors” associated with high-risk crowdfunding activity. A report funded by the Internal Security Fund of the European Union highlighted several key risks CSPs should be aware of, including:

• Donation-based services – Terrorist financers tend to prefer these over commercial crowdfunding platforms.
• Money-pooling schemes – Higher risks are present when users were able to pool money over an indefinite period of time for vague purposes.
• Lack of sufficient controls – Services that did not closely supervise accountholder activity were also deemed to be at higher risk.

When it comes to risk-based transaction monitoring, many firms’ hard-coded rules cannot identify dynamic risks. To address this challenge, firms might consider an artificial intelligence (AI)-based overlay, which can learn to identify risks through behavioral analysis. 

To ensure AI is applied efficiently, CSPs’ AML/CFT departments should start with a gap analysis. What areas in their current process struggle most to meet robust AML/CFT standards? Once the most pressing inefficiencies are identified, firms can consider how best to address them with machine learning or artificial intelligence. 

For example, our survey showed firms believe improved alert prioritization, the flexible tuning of alert thresholds, and the ability to identify new connections between individuals/entities to be the use cases that could add the most value to their organization. In one example, prioritization reduced false positives by a third (33 percent). Firms can also use AI to uncover hidden risks by seamlessly layering advanced techniques like behavioral analysis and anomaly detection.

3. Boost Enhanced CSP Due Diligence

“Banks and other providers working with crowdfunding organizations should perform enhanced due diligence before agreeing to a partnership,” Mahmud concludes. Such comprehensive due diligence is necessary to avoid “being exposed to financial crime risks by facilitating the movement of illicit funds and the bad publicity that comes with these.”

While the exact processes involved in enhanced due diligence can vary, firms should expect to be held accountable for successfully screening out noncompliant CSPs and should ensure EDD is an extension of holistic due diligence practices. 

The European Banking Authority (EBA) recommends firms consider several red flags for high-risk crowdfunding service providers. These may indicate the need for EDD before onboarding and include:

• CSPs allowing delayed contributions to unspecified projects
• CSPs that do not impose transaction or total funds limits
• CSPs permitting individuals or unregulated entities to withdraw cash
• CSPs that allow virtual currency payments
• CSPs that permit account holders to transfer funds to each other

In their customer screening processes, firms should also verify that prospective client firms have sound customer screening, onboarding, and monitoring practices that align with or surpass AML/CFT regulations and best industry practices.

The post Why Crowdfunding is a Top AML Risk for 2023 appeared first on ComplyAdvantage.

Three Steps to Supply Chain Risk Management 

Iain Armstrong, Global Regulatory Affairs Practice Lead at ComplyAdvantage, shared three key risk management insights in light of the evolving supply chain landscape.

1. Comprehensive Due Diligence

As international sanctions continue to develop, the risk of violations is high. Even early on, Russian sanctions hit the global supply chain hard, and the program’s global effects will continue as enforcement becomes more stringent. 

However, Armstrong argues that tensions with Russia are the tip of the iceberg. “With tensions still high with China – a much bigger part of global supply chains than Russia – firms will need to consider a blanket approach to enhanced due diligence for relationships with even a tangential nexus to those jurisdictions.” With sanctions evaders taking ever more creative steps to try and stay ahead of regulators, firms should take a structured and comprehensive view of their supply chain risks.

Enhanced due diligence (EDD) processes can help firms to achieve this. Therefore, firms seeking to establish a robust supply chain EDD framework should integrate it into a comprehensive, risk-based due diligence program. Requirements may include:

• Supply chain risk assessment – Ensure risk assessments and risk appetite evaluations are up-to-date. Assessments should consider evolving customer relationships, important new sectors or activities, and particular risks they may pose.

• Ultimate beneficial ownership (UBO) – High-risk individuals associated with a business account can indicate a need for EDD. Processes must be able to efficiently identify UBOs and key decision-makers.

• Adverse media – A prospect’s association with sanctions, negative news, and other adverse media can trigger additional due diligence. Screening suppliers and third parties against this data can also alert firms to modern slavery risks such as human trafficking. For accuracy, sync screening processes with live negative news data.

• Up-to-date sanctions data – Coordinate know your business (KYB) processes with live sanctions information. Even a proximate association with sanctioned activity, entities, or locations may call for EDD.

• Identifying at-risk customers – Supply chain customers associated with high-risk locations and activity – even tangentially – may require enhanced due diligence. 

2. Sharpened Focus on Know Your Business

A robust approach to supply chain EDD involves an enhanced focus on know your business (KYB). Firms must pay special attention to at-risk business partners – including how they relate to the whole chain. A business partner appearing to be low-risk in isolation may have ties to risky entities. 

In December 2022, for example, the Biden administration announced plans to blacklist Yangtze Memory Technologies (YMTC) and 30 other Chinese technology companies after months of pressure from lawmakers. The US also seeks to enter an accord with the Netherlands and Japan, preventing companies under all three jurisdictions from exporting chipmaking supplies to China.

“To refer again to the significance of KYB,” Armstrong notes, “firms with corporate customers will need to pay attention to any potential ties those customers may have to supply chains involving the fabrication of semiconductors, silicon wafers, and related technologies.” In our compliance survey, 34 percent of respondents said they planned to replace or upgrade their KYB solutions in 2023. And in 2021, Fatpos Global projected a market increase in electronic KYB from around $150 million in 2020 to over $533 million by 2030. 

To strengthen KYB processes, firms should evaluate whether existing CDD procedures include tailored processes for business customers. Key considerations may include:

• Business-specific supply chain risks will depend on up-to-date risk assessments that recognize key differences between individual and business entity risks.
• Compliance vendor risks – Even vendors offering compliance and KYB solutions should be thoroughly vetted. Though they help firms mitigate supply chain risk, they are also supply chain members and should be screened accordingly. 

3. Robust Process Resilience

“In addition to understanding the current nature of supply chains,” Armstrong concludes, “firms also need to assess the potential impact of sudden changes and ensure they have as much resilience built into their processes as possible.” Indeed, disruptions can generate ripple effects across multiple industries in sectors where the supply chain is complex. These effects come from economic pressures, rising financial crime trends, and evolving regulatory requirements.

To support supply chain resilience in a rapidly changing ecosystem, firms should establish transparent collaboration with customers. In light of disruptions exacerbated by the pandemic, there has been an international push for collaboration and transparency in the supply chain. When countries and suppliers collaborate internationally, sharing critical data on possible risks and disruptions, greater resilience is built into supply chains, making upheavals and adjustments less disruptive for everyone. Collaborative data can also boost effective supply chain AML/CFT risk management.

Using Technology to Mitigate Supply Chain Risk

Firms seeking to improve their supply chain risk management must balance this with natural business constraints. For example, the need to make KYB more risk-effective stands in tension with the need to streamline onboarding for legitimate customers. But a rise in tailored vendor offerings powered by next-generation tech can help address many of these pressing industry problems. 

How might firms leverage this technology to enhance their solutions? Technologies such as artificial intelligence, biometrics, and REST APIs allow businesses to streamline and integrate risk management services. APIs, in particular, enable firms to layer approaches like ID verification, digital forensics, behavioral analytics, and identity clustering to ensure powerful, specific risk management. New and evolving technologies such as those offered by machine learning, through an ability to ingest and manipulate a greater volume of data in more sophisticated ways, are rapidly changing the ability to detect trade-based money laundering.

Known as orchestration, this multifaceted approach allows firms to target bad actors more effectively while making processes smoother for legitimate customers. These high-tech solutions’ flexibility and scalability also allow for greater agility, supporting more resilient supply chain relationships. Partnered with newer, more affordable, and robust solutions, firms are in a position to tackle supply chain risks more efficiently.

The post How to Manage AML Supply Chain Risk in 2023 appeared first on ComplyAdvantage.

Our annual global compliance survey doesn’t just look at the anti-money laundering (AML) implications of hot topics like the uncertain global economy and Russia’s war in Ukraine, important though those are. It also takes an extended view, exploring the longer-term trends that shape how compliance professionals go about their work. 

This year, our third survey identified several key trends. One was that firms increasingly align technological transformations with structural reforms within their organizations, focusing on legacy system updates and better cross-team collaboration. Technologies such as artificial intelligence (AI) are also becoming increasingly popular as more firms adopt an integrated mindset regarding fraud and anti-money laundering (‘FRAML’). 

We explore all these themes and more in our industry trends report, but here are a few of the top takeaways: 

1. Firms are focused on aligning technological and organizational transformation

Amidst challenges related to managing customer data, ever-increasing regulatory expectations, and competitive pressure, firms increasingly recognize that they need to ‘get the fundamentals right’ – i.e., ensuring they have a fit-for-purpose underlying framework to facilitate future success. For the compliance function, this means how their data and teams are structured. 

More firms than ever told us that digitally transforming legacy systems – alongside integrating teams and cohesion – are key pain points. 39 percent of firms said digitally transforming legacy systems was their most significant compliance-related pain point, a two percentage point increase on 2021 and 6 percentage points higher than in 2020. This trend is likely self-reinforcing, with compliance officers moving between different financial institutions able to compare newer, more sophisticated tech stacks with older ones. As a result, they become more aware of legacy technologies’ limitations and more determined to implement modernization initiatives where they are needed. Indeed, when asked which area of the compliance function would be ‘at risk’ in an audit, 46 percent cited ‘data management,’ with 42 percent saying the suitability of the tech stack and 41 percent the effectiveness of procedures. 

2. Firms are moving from exploration to implementation with AI for financial crime risk detection

Efficient and accurate data analysis is vital for effective AML/CFT programs. As global financial crime trends continue to rise, compliance teams face growing datasets that outpace traditional tools even while budgetary and staffing pressures increase. 

But with artificial intelligence, vendors have begun to offer solutions with far superior capabilities that seamlessly address this dilemma. In a recent interview, PwC Luxembourg’s Andreas Braun highlighted how FinTech companies now leverage artificial intelligence in AML and know-your-customer (KYC) processes. In particular, he emphasized the tremendous data processing and analysis possible through AI, which helps solve traditional risk management efficiency and cost dilemmas. Artificial intelligence is quickly becoming a staple in financial compliance, thanks to its power and elegance.

The survey data bears this out. 99 percent of surveyed firms expect AI to impact financial crime risk detection positively. They anticipate specific gains in transaction monitoring. When asked which transaction monitoring use case AI could best help them with, firms overwhelmingly identified three:

• Alert Prioritization – 31 percent of respondents expected AI to help rank transaction alerts by risk. This enables transaction monitoring teams to catch more risky activity and do it faster.
• Flexible Tuning – 26 percent thought they’d use AI to improve their alert system – helping to adjust thresholds and fine-tune alerts responsively.
• Relationship Identification – 24 percent anticipated artificial intelligence would uncover new relationships between monitored entities and individuals. 

Only one percent of the respondents didn’t expect AI to benefit their transaction monitoring. 

3. PEP screening sophistication is increasing 

With politically exposed person (PEP) regulations varying globally, discerning global trends in how compliance teams approach PEP screening can be complex. This year’s survey, however, showed a clear shift toward a greater focus on mid-level government officials. When asked which area their firm most valued in a PEP screening solution, 39 percent said mid-level government officials, a ten percentage point increase on 2021 that made it the highest ranking factor. 

The data shows that firms increasingly recognize that there is no “one size fits all” classification when it comes to PEPs. In particular, there is a recognition that middle-ranking and even more junior officials could act on behalf of a PEP, circumventing AML/CFT controls. As a result, it’s entirely appropriate for firms to cover these less prominent public functions as customer risk factors as part of their enterprise-wide risk assessments. 

4. KYB solutions evolve to meet market expectations 

As AML regulations expand and business relationships grow more complex, firms are seeking to bolster an essential aspect of customer due diligence: know your business or KYB. KYC has often been the natural primary focus when considering global CDD requirements. But equally important are business-to-business relationships, which also fall under the CDD legislative scope. The UK’s Financial Conduct Authority (FCA) and the European Banking Authority (EBA), for example, leave their definitions broad, calling for due diligence on “business relationships.” 

In this year’s survey, more than a third of respondents – 34 percent – said they planned to replace or upgrade their KYB solutions. In 2021, Fatpos Global projected a market increase in electronic KYB from around $150 million in 2020 to over $533 million by 2030. Alongside global regulatory trends, this interest is partly thanks to a rise in tailored vendor offerings powered by next-generation tech. 

KYB solutions solve pressing industry problems. A 2022 PYMNTS study tied inadequate KYB to substantial fraud-related losses – including resources wasted on false positives. In contrast, firms using “proactive and automated solutions” experienced losses lower by roughly 34 percent. Nearly half of the surveyed organizations struggled significantly with digital business identity verification. PYMNTS identified an over-dependence on legacy solutions and limited resources among key factors holding firms back.

To find out more, download our Industry Trends spotlight report today

The post From AI to PEP Screening, These Trends Will Shape the Compliance Industry in 2023 appeared first on ComplyAdvantage.

Part 5 of the Compliance Team’s Guide to Customer Onboarding considers the three lines of defense while taking a closer look at the compliance team, highlighting best practices for conducting training, internal audits, and supervisory oversight. 

The line of business

Also known as the front line, the line of business consists of customer-facing employees best equipped to get the information firms need to meet their due diligence obligations. Operations, risk, and control teams that support the business may also be referred to as the first line of defense.

The line of business is responsible for implementing and maintaining policies and procedures and communicating these to all employees. It must also establish procedures for screening personnel to ensure high professional standards and deliver appropriate training on AML/CFT policies and procedures based on roles performed.

While individuals working within the AML/CTF space usually produce the training program, senior management must also review and agree upon it.

The compliance and internal control function

The AML compliance function is the second line of defense. This includes the chief money laundering reporting officer (MLRO) managing and monitoring AML/CFT activities. The AML officer is responsible for developing policies to ensure AML compliance and escalating identified noncompliance or points of concern to senior management.

The AML officer should be the contact point for all AML issues for internal and external authorities and be responsible for reporting suspicious transactions. Members of the second line of defense must have sufficient independence from the business lines to prevent conflicts of interest. 

The Compliance Officer’s additional responsibilities include:

• Managing the onboarding program
• Understanding of the firm’s current software packages, their strengths and weaknesses, and any gaps in the processes
• Linking with senior management
• Recruiting and training the onboarding team
• Maintaining a culture of compliance 
• Appointing deputies
• Investigating alerts and coordinating a group approach
• Ensuring that clients and transactions are monitored beyond the initial onboarding stage
• Overseeing the sanctions compliance program

The internal audit

A firm’s internal audit function independently reviews the controls applied by the first two lines of defense. The auditors should report to the audit committee of the board of directors, or equivalent, and independently evaluate the firm’s risk management controls through periodic assessments. These include:

• A review of both strong and weak elements of the AML/CTF function (as well as sanctions compliance activities)
• A set of readily identifiable recommendations with target dates for implementation as well as a list of names outlining responsibilities
• Any additional research senior management needs to sign off on the report

This report will need to link to previous reports to show any prior problems and whether steps were taken to address them. It will also need to be accessible for external review. Firms should note that regulators have previously fined businesses for failing to address weaknesses identified in their internal audits.

Uncover more risk management best practices throughout each section of The Compliance Team’s Guide to Customer Onboarding, including:

• How to determine what level of due diligence is appropriate for different customers
• The importance of understanding ultimate beneficial ownership (UBO) structures
• How to report potentially suspicious behavior

After reviewing all five sections of the training, test your knowledge with a questionnaire and receive a completion certificate you can share with your LinkedIn network.

The post What are the Compliance Team’s Three Lines of Defense? appeared first on ComplyAdvantage.

Part 4 of the Compliance Team’s Guide to Onboarding discusses the importance of preventative and detective controls, particularly record-keeping and reporting measures.  

Maintaining records 

To demonstrate how much control compliance teams have over the onboarding process, firms need secure and accessible records. These records are the essential breadcrumbs in the audit trail of any money laundering or terrorist financing investigation.

While there is no definitive set of record-keeping requirements for every business type, there must be enough documentation that underpins a firm’s onboarding process to demonstrate why a specific client was onboarded and what steps they went through. The length of time firms must retain this information depends on local laws and regulations.

The following types of records should be maintained:

• Client identification and verification documents
• Information on the transaction and role played by the institution
• Customer due diligence prepared during the onboarding process
• Printouts that identify whether the client is sanctioned, a politically exposed person (PEP), or the subject of any adverse media
• Any information secured on the client’s source of wealth and source of funds
• Information not acted upon — including evidence of the decision not to act
• A record of clients not onboarded and the reasons why
• Correspondence between the engagement team and the onboarding team
• Proof of any internal and external escalations and decisions related to those escalations
• Material generated in the context of enhanced due diligence and ongoing monitoring

Firms must also keep records about the formal risk-based assessment, anti-money laundering, counter-terrorist financing, and sanctions compliance policies. Any changes to these policies must be recorded.

Reporting suspicious activity

The first stage of the suspicious activity reporting process is the responsibility of the onboarding or transaction team. A subjective conclusion must be reached that there are grounds for suspicion of money laundering, terrorist financing, or sanctions breaches concerning a particular client or matter.

From there, firms must follow their internal escalation protocols – the details of which are listed below:

The escalation process should then lead to the money laundering officers, who can determine whether the report should be escalated externally. This decision should be communicated to the onboarding and compliance teams before it’s escalated to the external authorities.

The money laundering officer can delegate the preparation of the external report to the deputy money laundering officer, the internal legal function, or some other relevant person in the onboarding or broader compliance functions. But that officer should have a role in overseeing and agreeing to the actual suspicious activity report before it’s sent to the relevant external authorities.

A suspicious activity report (SAR) must include the following:

• An explanation of the suspicion
• The property in question
• The activity the firm is being asked to undertake
• The actions the firm will take following the external escalation
• Whether or not permission is being sought to carry on any activity that may be construed as abetting money laundering

When a SAR has been filed, each institution should have a specific policy and process to follow. Staff responsible for contacting customers should receive training and fully understand the responsibility of not “tipping off” the customer about a possible SAR filing. Additionally, firms must observe local data protection and legislative requirements. Financial institutions cannot mention a SAR, whether they are considering filing one or having filed one. In some jurisdictions, the unauthorized disclosure of a SAR is a criminal offense.

Uncover more risk management best practices throughout each section of The Compliance Team’s Guide to Customer Onboarding, including:

• How to determine what level of due diligence is appropriate for different customers
• The importance of understanding ultimate beneficial ownership (UBO) structures
• What training is required to equip new onboarding team members properly

The post Why Record-Keeping and Reporting is Important appeared first on ComplyAdvantage.

Part 3 of The Compliance Team’s Guide to Customer Onboarding discusses what these protocols can look like, including identifying an account’s beneficial owner, verifying a customer’s source of funds and wealth, and subjecting a third-party payor to the onboarding process.  

The Identification and Verification of Beneficial Owners

The term “beneficial owner” refers to the person or persons that have ultimate control over the funds in an account. During the due diligence process, compliance teams must identify an account’s ultimate beneficial owner and determine whether they’re legitimate or attempting to hide behind structures to launder money or finance terrorism. 

The percentage of control often determines beneficial ownership. For AML purposes, most jurisdictions require beneficial ownership information to be collected at a threshold of 25% or more. This means onboarding teams must identify every customer who owns at least 25% of a company. Each organization sets its own appropriate threshold. For high-risk customers, the beneficial ownership threshold can be as low as 10%.

However, the goal is more than figuring out who owns what percentage. The other key issue is “control.” In some cases, it is possible that an individual not meeting the ownership threshold can exercise control over the presenting entity. This is crucial when determining what degree of due diligence is appropriate for someone. For instance:

• When the presenting entity is located in a low-risk jurisdiction but the ultimate owning or controlling entity is located in a high-risk jurisdiction
• When the owning or controlling individual is a politically exposed person (PEP)

Understanding Source of Funds and Source of Wealth

Understanding where customers have acquired the funds they use to transact and invest is another essential component of the KYC process. In some cases, particularly with legal entities, compliance staff must determine both the customer and the beneficial owner’s source of funds (SOF) and wealth (SOW). The differences between these concepts and key questions to ask during the determination process are listed in the graphic below.

Compliance teams must record the information they used and how it influenced their judgment about the client’s SOF and SOW. These records should be stored and secured with the other onboarding due diligence records and available for later inspection.

Third-Party Payments

The receipt of payments by third parties typically presents little money laundering or terrorist finance risk. But when firms don’t know a third-party payor, compliance teams need to understand the rationale behind the payment.

To fulfill their compliance obligations and avoid facilitating criminal activity, organizations must be able to accurately assess the third-party money laundering risks that they face on an individual basis. Some key questions to ask include:

• What is known about the third-party payor? Have checks been conducted to determine if the third party is someone that raises money laundering, terrorist financing, or sanctions compliance risks?
• What is known about the relationship between the third-party payor to the client?
• Why is the third party undertaking the payment for the client?
• What proportion of the overall funding or fee is being provided by the third party?

If the onboarding team cannot determine a reasonable commercial rationale for the third-party payment, then the third party’s SOF and SOW should be determined. In these cases, the third-party payor should be subject to the same due diligence measures as a new customer.

Uncover more risk management best practices throughout each section of The Compliance Team’s Guide to Customer Onboarding, including:

• How to determine what level of due diligence is appropriate for different customers
• How to report potentially suspicious behavior
• What training is required to equip new onboarding team members properly

The post Ultimate Beneficial Ownership: Understanding Where The Money Comes From appeared first on ComplyAdvantage.