Compliance has often been a checkbox exercise, primarily seen as a defensive strategy in preventing financial penalties and PR embarrassments. However, some organizations have taken a different approach. They’ve used compliance on the offensive - to give a competitive edge, turning “compliance teams” into “innovation teams”. These companies have improved processes and increased customer experience. They’ve installed an elevator instead of fixing the ladder.
Money Laundering ≠ Financial Engineering
This wasn’t always the case. Over the last 100 years financial organizations and their executives have been in and out of hot water due to (un)knowingly facilitating the illicit activities of customers. For those who have seen “The Untouchables” (1987) it perfectly depicts how Al Capone used the financial system to industrialize money laundering, to a truly impressive scale. The amount he laundered is estimated at over $100m ($1.3Bn inflation adjusted to today). It is telling that Capone was ultimately brought down by Eliot Ness on tax evasion charges and NOT the slew of other felonies connected to his nefarious activities. This reinforces the age old adage “Follow the money”; with the rapid pace of technological change this has never been truer than it is today.
Losing $100bn’s to tax evasion through money laundering is one thing but when such activity starts to directly affect National Security it marks the crossing of a thick red line. 9/11 was that red line, as found on the 9/11 Commission report stating the funding for the attacks was channeled through "formal banking channels”. The remedial actions in the report led to the US Patriot Act (2001) - some of the most far reaching legalisation in modern times under the umbrella of privacy and further tightening money laundering regulations.
As outlined above, the problem has existed for a very long time, but solutions have only ever been to implement more stringent regulations and effectively increase the cost of operations. The enforcement of such policies is a classic example of how something that makes sense in theory but proves infinitely more difficult to implement in the real world with some unintended consequences. It's only in the last 15 years that organisations have even had the opportunity to really get in front of the problem. The key reason being that in the last decade there has been a number of orbit-shifting technical and environmental drivers;
- on the technical side we have the advent of: “Big Data”, Cloud, IoT, ML, DLT, mobility
- on the environmental side: cashless society (ApplyPay, AliPay, WePay, Mpesa), “de-dollarisation” of the global economy, drastic shift to online services (Amazon, Uber, etc), increasing use of sanctions (people, companies and countries), digitization of governments (Smart Cities, “Open Data”).
DLT (Distributed Ledger Technology) is one of the orbit-shifting technologies that many have touted as a money launderers playground, especially after its appearance as a medium of exchange on the dark website “Silk Road”. The reality is cash (some would argue gold) is still the MOST anonymous method of exchange, no one knows how much of it you have nor with whom you have transacted.
Cryptocurrencies like Bitcoin (BTC) are the exact opposite - well sort of. In fact you can download the entire blockchain from the infamous day someone bought a pizza for 10,000 BTC (that’s a $100,000,000 pizza!!) and find out how much is sitting in each wallet and the transactional relationships between wallets. Each wallet itself cannot be traced to an individual (PII) - this is where anonymity comes from. The anonymity disappears when one tries to transfer crypto assets back to "real world” (fiat) currency and enter the formal banking system. This bridge between the crypto and the fiat world happens via crypto exchanges and are essentially the ONLY viable step to connecting an anonymous wallet to a real world identity. It is for this reason such crypto exchanges have been on the receiving end of some of the most stringent compliance regulation around KYC (Know Your Customer). In fact some countries have even gone so far as to ban them from operating all together - Denmark, India, Thailand - as they are seen as a direct threat to the financial system.
The chart below further illustrates how the transparency of the blockchain really doesn't lend itself to an effective medium of transfer for criminals.
Credit: Chainalysis (2020). Crypto Crime Report
KYC is rarely a one and done operation, in fact it is a circular and iterative process that is refined over time. The U.S. sanctions list is a good example - someone might be a legitimate trading partner for years but through a set of actions the individual, or an associated company/country gets added to a U.S. Dept. of the Treasury list - now you have a serious reporting obligation. Whilst this sounds like a nightmare from a compliance perspective, with the right processes and tech in place the burden can be lessened drastically.
The biggest hurdle organizations face today keeping on the right side of compliance (KYC or otherwise) is the ability to distill unimaginable volumes of data (internal and external) and to find the handful of potentially non-compliant anomalies. The problem stems from the “type” of data that holds the answer. Structured data has had decades of innovation and is pretty well understood. Conversely the “(semi/un)structured space” is still in its infancy and yet it holds the key to winning the compliance battle. A good example of this is the very well documented case of fraud that impacted Bangladesh’s Central Bank. If there was some rudimentary analytics performed on the semi-structured SWIFT Messages (MT10x) the $80m fraud could have been prevented.
The power of having a solid workflow engine coupled with the ability for stakeholder groups (technical or otherwise) to painlessly interrogate a “data lake” lends itself to much more than being compliant - in fact you are missing a trick if you use such a platform for ONLY compliance. There is a huge business opportunity in being able to investigate this data and truly understand the DNA of your business.
“The World is One Big Data Problem”
-Andrew McAfee, co-director of the MIT Initiative
Once the foundations are in place (data ingestion at scale, workflow, enforcement of logic and low latency search capabilities) the final level of maturity would be to apply machine learning techniques. Put simply ML aims to find relationships that would be near enough impossible for humans to detect especially with the volume and velocity of modern day enterprises. The obvious and high value use-case for such a capability for financial institutions is fraud detection. With ever increasing fraud rates the deployment of such a platform could potentially pay for the capital and running costs many times over. In my conversations with customers on this topic it's actually scary to report that a large number of organisations actually cannot even put a number on how big their fraud problem is - you can't fight what you can't see. The skills and talent required to fight this problem through the integration of data can be leveraged to create a factory by which this capability can then be used beyond compliance and augmented for cost reduction, creation of new products, better customers insights, etc
In conclusion the modern enterprise, irrelevant of your core business has to be a data first in its mindset to be relevant and to survive. This has been clear to see in the performance of the key players digital players during COVID-19. The organisations that “collect the dots” and then effectively “connect the dots” will not only be able to be on the right side of ever increasing regulations but as a beneficial by-product gain a huge competitive edge. For more information on how to harness the power of unstructured data in financial services check out our free eBook - “40 Ways To Use Splunk In Financial Services”.