Financial crime in the digital age is borderless, hard to track and very difficult to prevent. The move to frictionless payment systems, digital identity tools and increasing reliance on technology mean that monitoring and tracing fraudulent activity is increasingly challenging. On the flip side, technology enables greater visibility over data, the ability to spot unusual patterns of transactional activity and the promise of greater efficiencies and a wider range of intelligence.
Regulators are clear – businesses are welcome to use technology, but they should assess the risks and understand how to mitigate those risks. Whilst technology can be used to combat crime, it is not the panacea and human involvement and decision-making is still vital.
With a Moneyval assessment on the distant horizon and the NRA under consideration, Appleby organised a panel session also involving Alan Sheeley of Pinsent Masons and Adie Hale of Guernsey’s Financial Investigation Unit (FIU) to consider the threats and benefits of technology and practical guidance around the challenges faced by the regulated community. The core themes are summarised below.
Risks and benefits of technology in the world of financial crime
- The move towards frictionless payment systems means global money flows are much quicker and difficult to trace/halt effectively, unless immediate steps are taken
- Financial crime is borderless and we need solutions which work on the same basis
- Benefits include the ability to analyse significant amounts of data more efficiently and detect issues earlier, streamlining customer experience and wider sharing of intelligence
- Digital identity can enhance customer experience, but brings challenges in terms of verifying information
- Understanding the technology is key – what does it do (and not do), what benefits/risks are there around its use and what resource requirements are there in order for it to operate effectively?
- Changing attack vectors mean we need to be responsive to a range of issues, from external cyber attacks, to risks around cryptocurrencies and other digital assets and human error
- Artificial Intelligence (AI) is not the silver bullet….yet! There are plenty of good use cases and the pace of development is significant, but it is important to understand the risks and to use appropriate data sets to avoid unforeseen consequences around algorithmic and unconscious bias
Cryptocurrencies and digital assets
- Whilst cryptocurrencies have stolen many of the headlines, risks in this area go far further. Phishing emails and other cyber attacks, corruption of datasets and bribery are all areas impacted by technology
- Cryptocurrencies have received bad press due to the number of fraudulent schemes being set up in recent years. Onecoin is an example, where investors sent significant sums in respect of a project that created an illusion of success (using other investors’ money) by renting expensive offices and buying a yacht, whereas the reality was that this was in essence a digital Ponzi scheme
- Legal remedies around tracing and enforcing against cryptocurrencies and other digital assets are being developed (see the AA v Persons Unknown case) and more enquiries around these issues are arising in London
- Confirmation of digital assets as property (following the UK Jurisdictional Taskforce on Cryptoassets and Smart Contracts) will prove helpful in taking steps to push back against criminals
- Law enforcement teams are working together to develop responses, share intelligence and understanding around how these assets can be traced and enforced against (see also the GFIN initiative involving the GFSC)
- Schemes that play on emotions (rooms in care homes, romance scams, etc.), phishing attacks and spoof emails, 1MDB and champagne-fuelled parties and invoice fraud, all featured on the panel’s list of sophisticated/dangerous frauds
Exit Interviews and the life of an MLRO
- The recent introduction of (non compulsory) exit interviews for Money Laundering Reporting Officers (MLRO) by the Guernsey Financial Services Commission (GFSC) has raised a number of issues, including whether they might be used to glean information on regulated businesses for the purpose of further review/investigation
- Whilst that might be a corollary of the situation, the stated goal is to better understand the role and challenges facing MLROs
- In the absence of “whistleblower protection” in Guernsey, concerns were expressed as to MLROs being placed in difficult situations in terms of what they could say and the consequences arising, both for them and their former employer
- MLROs may want to seek advice on their position, the cost of that advice, and any insurance coverage issues
- The scheme is a pilot and as such, its impact remains to be seen
Threats and how to respond
- Human error (whether deliberate or otherwise) remains the top risk for businesses. It is the main cause of data and/or wider security breaches, and is a common source of fraud within organisations
- Training and awareness should be paramount, both in relation to safeguarding data and ensuring appropriate governance measures are in place to mitigate risks of “rogue employees” committing offences
- Access controls should be proportionate but implemented to reduce risk
- Board level engagement and culture are similarly key parts of the process
- Money should be invested in technology, but also in staff. Many of the systems rely on human input and/or require additional reviews to be effective. Having the latest technology will not necessarily save you from a fraud occurring and/or a data breach event
- To the extent that MLROs (or other staff) are underperforming, or issues are uncovered, then the board has to be proactive and manage the individual’s performance levels. Ultimately, this may lead to them leaving the business, but burying the issue will simply cause greater problems in the future
- Investing in insurance for appropriate risks is worthwhile,but careful advance consideration should be given to appreciating what risks exist and how best to mitigate them
The consent regime and potential reform
- The panel discussed the Liang decision and the importance of the MLRO maintaining independence; if the threshold for “suspicion” is met, then a suspicious activity report (SAR) should be lodged with the FIU. We have seen increasing willingness of customers to challenge the SARs lodged by institutions
- There are no such things as “defensive SARs” – either suspicion exists, or it doesn’t
- MLROs are under increasing pressure both in terms of volume and significance of decisions and in relation to resourcing
- The current consent regime was discussed in the Garnet decision and Guernsey’s unique position considered, however there is a growing body of opinion that an open-ended regime was giving rise to issues
- The UK regime requires a response from the National Crime Agency (NCA) within seven days, after which a monthly, rolling review of the position is implemented in the event of “no consent”
- Scrutiny over SARs continues, the FIU noting that the quality has improved following recent guidance
- Unexplained Wealth Orders (UWOs) were discussed in the context of tools available to UK regulators
- Jersey is looking at implementing a form of UWO regime and the panel discussed whether a similar regime might benefit Guernsey
- The interaction between the SARs and Data protection regimes is a growing area of concern
- Existing civil forfeiture powers might be used in the interim and indeed the Royal Court made an order using this power in January 2020
Guernsey, the world and Brexit
- The panel largely felt that the perception of Guernsey was positive, though grouping all “offshore” jurisdictions together was unhelpful and demonstrated a lack of understanding around the differences
- Guernsey has taken great strides forward in terms of maintaining and exceeding international standards, though political posturing would continue to be an issue; core messaging around the regime we have in place needs to be maintained
- In a post-Brexit world, the panel emphasised that as financial crime is borderless, the response should be collaborative and information sharing should continue; Brexit should not impact on current initiatives in that arena
Regulatory matters are of primary importance to business. The challenges of an increasingly fragmented political and regulatory landscape are legion – dealing with the rapid evolution of technology adds a layer of complexity.
The ability to harness and understand the potential of a range of tools, including AI, machine learning and robotic process automation can add much to the defensive armoury of a compliance team. It is however vital, that the proposition is adequately resourced and properly maintained. With an increasing number of regulatory enforcement matters on the horizon, and human error remaining the largest cause of incidents, training and awareness remains vital. Add to that the prospect of exiting MLROs being interviewed by the regulator; the importance of supporting these key team members cannot be overstated.
The significance and value of data cannot be overestimated. Securing that data is a core aspect of good governance and something that customers and clients have come to expect. The same goes for digital assets, including digital identity. The threats are as much directed towards the regulated community as custodians, as they are towards the wider population. Financial crime is borderless and increasingly, digital. We therefore need to not only be vigilant for potential issues at the client level, but also guard ourselves from such attacks.
Whilst reform of the regime may be on the distant horizon, there is much to be done in the interim to keep on top of not only regulatory developments, but technological tools which can help streamline the compliance process. Exciting times lie ahead.