Digital innovation and financial crime are intrinsically linked in the modern era, requiring businesses to continuously adapt their strategies and compliance frameworks to mitigate associated risks effectively.
To protect the integrity of the economy and financial system, entities across all industries need to be aware of financial crime risks when engaging with new or existing customers who may pose a higher risk. Over the last few years, technological innovation and the evolution of digital assets and currencies have grown exponentially, catalyzed by the need for access to financial systems during pandemic lockdowns.
Financial crimes have become an increasingly borderless phenomenon in the globalized world. Digitalization acts as a double-edged sword, providing opportunities for fraud and money laundering in creating, altering, or stealing information.
Digital Innovation and Financial Crime
Money laundering techniques have become more sophisticated over the years alongside technological innovation. Front companies are being used by criminals who can better conceal their identities when entering transactions or opening accounts. Identity theft is an example where fraud risk converges with money laundering, allowing bad actors to disguise illicit activities through victims’ accounts. These crimes often arise and/or piggyback off one another.
An effective AML Compliance program consists of:
- Robust enterprise-wide anti-money laundering framework
Financial crime risks, including money laundering and terrorist financing risks, are important components of the overall enterprise-wide risk management framework and compliance activities.
In any organization, the design of an AML compliance framework starts with articulating the organization’s risk appetite, which then drives the risk management and AML compliance policies.
There is no one size fits, particularly with Fintech. Therefore, this exercise requires extensive risk assessment based on both external and internal environments. This is an ongoing process by which a firm determines the risks that exist and how they can be mitigated.
The implementation of the policy entails setting up the risk governance and control environment which includes the formation of the board of directors, audit committee, executive committee, and the three lines of defense:
- 1st line – Business operations which perform the day-to-day risk management activities;
- 2nd line – Risk and Compliance provide oversight and set directions, defining policy, and providing assurance. The Compliance Officer who is responsible for the review and implementation of the AML program for the firm must be well trained and qualified and given access to necessary resources to fulfill the needs for the role; and
- 3rd line – Internal Audit offers an independent challenge to the levels of assurance provided by business operations and oversight functions and ensures that the systems and controls function effectively. Outcomes from the audit are inputs for continuous improvement of the compliance risk management process.
- Effective customer lifecycle governance framework
The customer lifecycle is the process that encompasses customer selection, acceptance, and exit. This lifecycle can be broken down into 5 parts:
- Understanding risk setting up a risk rating methodology that takes into consideration factors such as customer types, geography i.e., where customers are from where they operate, business segment, products/services, and delivery channels. With technology and big data, the use of risk algorithms, other information to be included in the risk rating, and how to access this information are increased.
- Customer due diligence is the application of process and controls, that uses risk assessment, the results of which influence the decision to accept or decline a business relationship with a particular customer. Depending on the business model, non-face-to-face customer due diligence is often employed in Fintechs. This makes use of identification/verification technology in preventing fraudulent risks at onboarding by way of using technology to match data points. The technology includes a liveness test, name screening for sanctions and PEPs through automated online searching, and private and public third-party data providers.
- Existing businesses or clients are subject to ongoing review and monitoring. This includes periodic due diligence, transaction monitoring, and red alerts. The increased use of digital solutions for AML/CFT based on Artificial Intelligence (AI) with machine learning and natural language processing capabilities can potentially help to better identify ML/TF risks and respond to, and monitor suspicious activity. Improved real-time monitoring and information exchange capability enable more informed oversight of risk assessments, onboarding practices, accountability, and overall good governance whilst saving cost.
- Reporting and escalation procedures involve monitoring trends, including establishing KPIs, and other statistics for internal stakeholders for information and/or decision-making. External reporting entails reporting to external stakeholders such as investors, external auditors, regulators, and authorities, including suspicious activity or transaction reporting. Escalation refers to breaches that need to be escalated upon their identification.
The mitigating risk or exit relationship: Prospective customers may be rejected during the initial risk assessment if they are determined to be beyond a company’s risk profile and appetite. Conditions may change after business relationships have been established, which may be related to changes in the business, regulatory environment, customer activities, or alerts generated from transaction monitoring.
This may call for decisions to be made to terminate the business relationships. One cannot downplay the importance of governance in this process as there can be a significant reputational or regulatory impact on the firm. The policies and procedures on customer exits must be established.
Prevention of Money Laundering Risks
Regardless of the nature of the relationship or virtual asset (VA) transaction, the obliged entities should have in place customer due diligence (CDD) procedures that they effectively implement and use to identify and verify on a risk basis the identity of a customer, including when establishing business relations with that customer; where they have suspicions of ML/TF, regardless of any exemption of thresholds; and where they have doubts about the veracity or adequacy of previously obtained identification data.
Like other obliged entities, in conducting CDD to fulfill their obligations under Recommendation 10 of FATF, the obligated entities should obtain and verify the customer identification/verification information required under national law. Typically, the required customer identification information includes information on the customer’s name and further identifiers such as a physical address, date of birth, and a unique national identifier number, such as the national identity number or passport number.
Depending upon the requirements of their national legal frameworks, VASPs are also encouraged to collect additional information to assist them in verifying the customer’s identity when establishing the business relationship, authenticating the identity of customers for account access, helping determine the customer’s business and risk profile and conduct ongoing due diligence on the business relationship, and mitigate the ML/TF risks associated with the customer and the customer’s financial activities.
Such additional, non-core identity information, which some VASPs currently collect, could include, for example, an IP address with an associated time stamp; geolocation data; device identifiers; VA wallet addresses; and transaction hashes. The verification of customer and beneficial ownership information by VASPs should be completed before or during the establishment of the relationship.
Based on a holistic view of the information obtained in the context of their application of CDD measures which could include both traditional information and non-traditional information. VASPs and other obliged entities should be able to prepare a customer risk profile in appropriate cases.
A customer’s profile will determine the level and type of ongoing monitoring potentially necessary and support the VASP’s decision whether to enter into, continue, or terminate the business relationship. Risk profiles can apply at the customer level (e.g., nature and volume of trading activity, the origin of virtual funds deposited, etc.) or at the cluster level, where a cluster of customers displays homogenous characteristics (e.g., clients conducting similar types of VA transactions or involving the same VA).
VASPs should periodically update customer risk profiles of business relationships to apply the appropriate level of CDD. If a VASP uncovers VA addresses that it has decided not to establish or continue business relations with or transact with due to suspicions of ML/TF, the VASP should consider making available its list of “blacklisted wallet addresses,” subject to the laws of the VASP’s jurisdiction.
A VASP should screen its customer’s and counterparty’s wallet addresses against such available blacklisted wallet addresses as part of its ongoing monitoring. A VASP should make its risk-based assessment and determine whether additional mitigating or preventive actions are warranted if there is a positive hit.
VASPs and other obliged entities that engage in covered VA activities may adjust the extent of CDD measures, to the extent permitted or required by their national regulatory requirements, in line with the ML/TF risks associated with the individual business relationships, products, or services, and VA activities, as discussed above under the application of Recommendation 1.
VASPs and other obliged entities must therefore increase the amount or type of information obtained or the extent to which they verify such information where the risks associated with the business relationship or VA activities are higher, as described in Section III. Similarly, VASPs and other obliged entities may also simplify the extent of the CDD measures where the risk associated with the business relationship of activities is lower.
However, VASPs and other obliged entities may not apply simplified CDD or an exemption from the other preventive measures simply on the basis that natural or legal persons carry out the VA activities or services on an occasional or very limited basis. Further, simplified CDD measures are not acceptable whenever there is a suspicion of ML/TF or where specific higher-risk scenarios apply.
Not all virtual asset service providers (VASPs) are the same. They vary in size from small independent businesses to large multinational corporations. Similarly, no country’s AML/CFT regime for VASPs is the same and countries are introducing their measures at different paces. Different entities within a sector will pose higher or lower risks depending on a variety of factors, including products, services, customers, geography, the AML/CFT regime in the VASP’s jurisdiction, and the strength of the entity’s compliance program.
VASPs should analyse and seek to understand how the ML/TF risks they identify affect them and take appropriate measures to mitigate and manage those risks. The risk assessment, therefore, provides the basis for the risk-based application of AML/CFT measures.
Regardless of the nature of the relationship or VA transaction, VASPs and other obliged entities should have in place CDD procedures that they effectively implement and use to identify and verify on a risk basis the identity of a customer, including when establishing business relations with that customer; where they have suspicions of ML/TF, regardless of any exemption of thresholds; and where they have doubts about the veracity or adequacy of previously obtained identification data.
As long as global implementation of the FATF Standards on VASPs remains lacking, managing these kinds of relationships will pose a continuing challenge. This underscores the importance of implementation and suggests that VASPs will have to consider additional control measures for countries with weak implementation, such as intensive monitoring of transactions with VASPs based in the country, placing amount restrictions on transactions, or intensive and frequent due diligence.
Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions. Otherwise, the VASP may face a tough decision in whether to deal with VASPs based in a country with weak or non-existent implementation.
When establishing a new counterparty VASP relationship, a VASP may obtain information set out by FATF Recommendations 10 and 13 directly from the counterparty VASP. Under the requirements of those Recommendations, this information should be verified. Examples of potential reliable, independent sources of information for the verification of the identity and beneficial ownership of legal persons and arrangements include corporate registries, registries maintained by competent authorities on the creation of regulated institutions list, registries of beneficial ownership, and other examples mentioned in the BCBS General Guide on Account Opening.
The VASP would need to assess the counterparty VASP’s AML/CFT controls to avoid submitting their customer information to illicit actors or sanctioned entities and should also consider whether there is a reasonable basis to believe the VASP can adequately protect sensitive information. This is similar to the process set out in FATF Recommendation 13, sub-paragraph (b), but in a more risk-based manner. In practice, such an assessment could involve reviewing the counterparty’s AML/CFT systems and controls framework.58
The assessment should include confirming that the counterparty’s AML/CFT controls are subject to an independent audit (which could be external or internal). VASPs should have recourse to altered procedures, including the possibility of not sending user information, when they reasonably believe a counterparty VASP will not handle it securely while continuing to execute the transfer if they believe the AML/CFT risks are acceptable. In these circumstances, VASPs should identify an alternative procedure, whose control design could be duly reviewed by their supervisors when requested.
Final Thoughts
The rapid development and ubiquity of technology have forever altered the landscape of global finance, bringing with it both opportunities and risks. As money laundering methods continue to evolve with digital innovation, organizations across all industries must vigilantly assess and manage financial crime risks. Establishing an effective Anti-Money Laundering (AML) compliance framework and adopting robust customer lifecycle governance practices are key strategies in mitigating these risks.
As entities navigate the intricacies of this digital age, leveraging technology and Big Data can enhance risk identification, customer due diligence, and overall compliance. However, harmonizing AML/CFT measures globally remains a challenge, underscoring the importance of consistent implementation and rigorous controls. In conclusion, as we embrace the digital revolution, prioritizing and investing in comprehensive AML programs is more crucial than ever to safeguard the integrity of our financial systems.
