Banks Race to Adapt AML Systems for the Coronavirus Age

Patterns of fraudulent activity have changed markedly during the global coronavirus lockdown, but banks don’t expect much sympathy from regulators if their detection systems are found wanting as a result.

“They do recognize that there are challenges, but I would struggle to think of an argument that I could use to the Financial Conduct Authority (FCA) that I wasn’t able to validate my new risk assessment model just because of Covid-19,” says Richard Snookes, chief compliance officer at Sberbank CIB.

Banks have already found that fraud detection systems that use machine learning (ML) techniques to spot suspicious behavior needed to be recalibrated to be useful in the present climate, with large parts of the economy juddering to a halt.

Fraud experts say that is doubly the case with anti-money laundering (AML) controls: With far less cash being spent in businesses such as restaurants and street markets, which are often targets for money launderers, criminals are changing their behavior and coming up with new ways to dispose of their ill-gotten gains, which bank systems may not be set up to catch as readily.

The decline in footfall in traditional stores has also led to an increase in online spending, which creates more opportunities for fraud, says Andrew Fleming, a senior financial crime risk specialist at HSBC.

“We’re going to be challenged with identifying where criminal money is coming in,” says Fleming.

Many watchdogs, including the FCA, have encouraged the use of machine learning-based tools to combat money laundering. These systems can detect patterns of fraud that would be difficult to spot manually. At the same time, systems that depend on learned patterns of behavior may struggle to make sense of new realities. 

The FCA has also made clear it will fine banks if vendor systems are not appropriately tuned to the size and complexity of the business. Notwithstanding the efficiency gains from leveraging new technology, banks have to be prepared to prove to regulators that the systems have been adequately tested and conform to accepted risk practices.

“There’s no shortage of final notices that mention when the FCA was disappointed that although firms had spent millions on systems, they were just using the factory settings,” says Snookes.

I would struggle to think of an argument that I could use to the Financial Conduct Authority that I wasn’t able to validate my new risk assessment model just because of Covid-19

Richard Snookes, Sberbank CIB

After HSBC installed a new ML-based system, it saw a higher number of suspicious activity reports than the old system, says Fleming. However, during subsequent supervisory reviews, the bank’s regulators in Hong Kong were still keen to make sure the lender was thinking about where its new software might develop blind spots, he adds.

“They’re very keen that we implement new technologies, but they also want to make sure we don’t miss any suspicious activity reports. You’ve got to be able to show you’re still picking up the old risks in the new system, because if you miss them, then you have a risk that you’re not identifying,” he says.

The FCA has previously noted that vendor-supplied surveillance systems could fall short of Market Abuse Regulation requirements that surveillance procedures be calibrated to the scale of each firm’s business.

An FCA spokesperson declined to comment on whether the watchdog had adapted any of its supervisory policies on AML controls to account for the impact of the Covid-19-induced global lockdown.

The European Banking Authority, in a March 31 policy statement, called on banks to maintain effective money laundering controls during the crisis, and to remain vigilant against elevated risks of illicit funds transactions emanating from cash-intensive retail businesses and companies involved in international trade. It also called on regulators to make clear to financial institutions “that financial crime remains unacceptable, even in times of crisis such as the Covid-19 outbreak.’

Several large fines for AML violations have been issued since the lockdown began: In March, Swedbank was hit with a SKr4 billion ($407 million) fine over AML control failures, while in April, US regulators fined Industrial Bank of Korea a combined $86 million in penalties and disgorgement for violating AML laws, which allowed more than $1 billion to be sent illegally to Iran through its branch in New York.