Banking Experts: Tech Isn't the Whole Solution to Financial Crime

Banking industry experts are debating the effectiveness of technological solutions in preventing financial crime, in the wake of revelations that some of the world’s largest banks helped criminals move dirty money around the world.

In September, news website Buzzfeed and the International Consortium of Investigative Journalists broke a story revealing how some of the world’s biggest banks are financing international criminals, and exposing the inaction of the US government and law enforcement in clamping down on illegal activity. In light of the so-called “FinCEN Files” scandal, some banking experts and researchers are debating how to confront the failures and weaknesses of the current financial crime regime.  

In one camp are those who say that it’s worth exploring privacy-enhancing technologies (PETs) and data-sharing techniques to combat pervasive financial crime; in another are those who believe the entire system for transaction monitoring, including the regulatory framework, needs to be reformed.

Geraldine Lawlor, global head of financial crime at KPMG, is one of those who falls into the second camp. Lawlor said she believes the current system for alerting and combating financial crime needs to be fixed from an “end-to-end perspective”. Enhancing alert systems and deploying new technologies within banks is all well and good, but law enforcers also have a crucial role to play in combating financial crime, she said.

“It’s all very well to enhance what the banks are doing, but if you don’t have the enhancements on the other side as well, in terms of what law enforcement are seeing or receiving, then again the system end-to-end is just not going to be working as effectively as it could be,” Lawlor said, speaking on a panel discussion on transaction monitoring at Sibos 2020.

Lawlor argues that it isn’t enough for banks to bolster their detection systems. Regulators will similarly need to enhance their own tech stack to cope with the growing volume of alerts and suspicious activity reports (SARs) that they receive. There are many concerns over the effectiveness of current financial crime regime. For one, banks are mandated to submit SARs to the Financial Crime Network (FinCEN) within 30 days of the suspicious activity, such as fraud or terrorist financing, being detected. This delayed approach “is no longer acceptable”, said Lawlor, and both banks and regulators will need to develop their technical capabilities to deal with real time alerting in the future. 

Banks are exploring PETs for anti-money laundering (AML) or know-your-customer (KYC) uses cases, to enable them to share intelligence and make computations on data without having to decrypt it—though this technology can be very expensive to research and produce, and useful applications could in some use cases be years away. PETs are a family of technologies that draws on research in cutting-edge concepts like homomorphic encryption, secure multi-party computation, trusted execution environments, zero knowledge proofs and federated learning.

Nick Maxwell, head of research for the Future of Financial Intelligence Sharing (FFIS) programme, which is run by the British defense and security think tank, the Royal United Services Institute (RUSI), is working with several banks on pilot projects using PETs.

“Privacy-enhancing technology offers the opportunity for those data owners to collaborate with other data owners, data processors, or analysts without having to reveal their underlying data,” Maxwell said, speaking on the same Sibos panel.

These solutions, however, could be used to bypass global privacy laws that prevent banks from sharing client information with one another. Even those in favour of PETs for financial crime use cases say that small changes to regulations like the General Data Protection Act could be a simpler option than having to deploy expensive new technologies like PETs across multiple banks. 

“I’m not a naysayer of privacy-enhancing technology, but I do wonder whether we are proposing solutions—could we actually get to a solution from a different direction by adjusting regulation?” Tom Keatinge, director of RUSI, said during the discussion.

KPMG’s Lawlor agreed, saying that policy changes should be considered as part of a broader initiative to reform the current financial crime regime.

Another argument is that while global privacy regimes exist to protect client’s data, they can also inadvertently help criminals escape detection. 

“I think the challenge is to work with jurisdictions and lawmakers on getting that [regulatory] balance, where those [data privacy] protections don’t operate to tip the scales in favour of criminal activities, [and facilitate a regulatory environment] that kind of allows illicit financing, or terrorist financing to flourish,” Andrea Sharrin, the managing director of financial crime Americas Investment Bank at Barclays, said during the panel. 

‘Cost-Heavy and Data-Hungry’

Some banks are hesitant to commit to PET solutions for many reasons, and the efforts to develop a utility for AML or KYC are often met with logistical concerns. For instance, banks already have issues trying to integrate their own internal platforms, let alone connecting systems across different firms.

“I often say it’s almost easier to build a bank from scratch than it is to try to overlay some of this [PET solutions] on existing platforms,” Sharrin said.

The cost of deploying new alert systems also plays a factor. Lawlor described transaction monitoring as a “cost-heavy and data-hungry” exercise. According to a study by ResearchandMarkets.com, transaction monitoring spending is expected to grow to $16.8 billion by 2023. In 2018, the Monetary Authority of Singapore, for example, shelved its first project to form a bank-led KYC utility in 2018, citing poor design and high cost. In November 2019, the regulator announced its second attempt to develop the utility.

This year, five Dutch banks—ING, ABN Amro, Rabobank, Triodos Bank and De Volksbank—agreed to develop a transaction monitoring utility platform to fight terrorist financing.

Lawlor said that one challenge to look out for is that a utility platform might not work for all types of financial crime. Not all illicit activity comes from criminal networks that target multiple banks, which are easier detected in a shared dataset. But criminal activity also comes from individual bad actors that may only target a single institution. Lawlor said there needs to be clear understanding of how the utility model is expected to work.

“I think [this issue] will come up in relation to initiatives like we’re seeing in the Netherlands, which is coming together, looking at it [financial crime] collectively, But what happens within their own individual institutions and how do they manage their own personal risks and accountabilities within that? Are they going to be allowed to move into that collective environment singlehanded, or will they still be expected to manage their own risks internally? And if you end up with this hybrid approach, that can become quite costly to manage,” Lawlor said.

In the context of a KYC or AML utility, PETs would allow a bank’s financial crime team to perform computations on a shared datasets for detecting financial crime without having to decrypt it first. The team could match data points, run queries, and apply machine learning or regression analysis techniques on the data while its secrecy is uncompromised.

One issue with this approach, however, is that humans can’t make well-informed decisions on the data without being able to see and understand it. And if banks don’t understand the problems in front of them, the jury is out on whether these new solutions will satisfy all law enforcers. 

“To the extent that these privacy enhancing technologies don’t give us insight into a certain level of detail, the question is, Will that be sufficient to make certain decisions in the eyes of the supervisor?” Sharrin said.