Digital Identities for Controlling Money Laundering
I have recently spent a lot of time talking about KYC (Know Your Client), AML (Anti Money Laundering, often confused with ALM which is Asset and Liability Management), Client Onboarding, PEPs (Politically Exposed Persons) and SARs (Suspicious Activity Reports).
It’s all wrapped up in financial crime, compliance, legal, audit and operational risk. The core of the issue was sparked by the U.S. regulators going after HSBC and Standard Chartered but has spread to London where the FCA (Financial Conduct Authority) has started fining firms for misdemeanours. Some might say it’s about time, as the FCA’s predecessor, the Financial Services Authority (FSA), did pretty much nothing about money laundering by UK banks. As their own report discovered, around 75% of the firms do not pass the test required for effective AML:
Three quarters of the banks in our sample failed to take adequate measures to establish the legitimacy of the source of wealth and source of funds to be used in the business relationship.
Hence, it is low hanging fruit to go and investigate a bank and then fine it. Some might say that’s what happened with HSBC, when they were hit with $1.9 billion of fines for money laundering breaches in the U.S. Most of this was related to terrorism funding in the Middle East and drug runners in Mexico. The issue is that sometimes you just cannot tell who is a launderer and who is not. An Iranian born businessman, who has lived in America for 15 years and now has dual U.S. nationality, will open an account as an American citizen and send funds to Iran. Is that illegal? How could the bank know this in advance?
Ask any bank how many PEPs their counterparties might be shielding and they have no idea. In fact, they might know that the parent company of their Iranian-born businessman is American, and that this firm deals with overseas subsidiaries through the United Arab Emirates (UAE) in Dubai for the Middle East. The fact that the UAE subsidiary business then fuels funds into Iran is hard to catch. Nevertheless, it does happen.
Off the Network
The dollar is the global reserve currency and money launderers and terrorists want to trade in dollars and banks are the easiest way to do this. Or they used to be. Now, they’re all running scared of the U.S. authorities, who are throwing any suspicious countries off the network.
But what happens when these countries, companies and individuals are thrown off the network? They just find a way around the network. In Africa, we are seeing nested accounts growing rapidly, whereby countries off the network work through countries on the network to transact. This is true in places such as Lithuania, where a friend of mine tells me that the only banks that offer dollar FX services there are now Deutsche and Commerzbank. Everyone else has shut their doors.
In fact, the growth of alternative payment schemes such as Bitcoin is fuelled by the actions of countries and regulators to throw those who need to transact off the network. For example, one banker said to me that most of the barter business between corporates is to get around the network of banking. This is the nature of the network and the more that governments, especially the U.S., crack down on money launderers and terrorists, the more that money launderers and terrorists will seek to exchange through another mechanism that is untraceable, untrackable and off the network. In other words, hard cash dollars.
The bottom line is that there are huge problems catching and tracking financial crime. Interestingly, this is not cybercrime where criminals are robbing the bank, but terrorism and drug runners who are robbing from the government. Governments view banks as police for financial crime.
It’s an interesting nuance in our world of money. Banks are commercial businesses but, for money laundering purposes, they are the police. That is why governments fine banks so heavily when they’re not acting as effective police. If banks do not effectively stop the use of accounts for criminal purposes, it is not the criminal held accountable but the bank. That is how banks get a licence and can lose it, although I cannot think of any bank that has lost their licence due to money laundering weaknesses (Standard Chartered sailed close in the U.S.)
So, physical police protect our home, assets and person, with insurance to ensure that when they fail you are covered; banks protect our digital assets and ensure that society is not compromised by crime through the gains that criminals could make through money flows. When Georgian criminal gangs use Chinese servers to harvest European consumer credit card numbers to buy goods from American websites, the physical police break down. That’s why banks have to be at the heart of global crime and why we have PEP databases and KYC.
The question then is: do banks apply such rules effectively? The answer is no. Banks apply the rules as much as they feel they need to, within budget. It was interesting that in a recent conference one of the regulators from the SEC was asked how much banks should spend on AML and he answered, “That’s not how we look at this. We ask, ‘Could you have done more?’”
In other words, a bank will apply the minimal level of AML controls to meet the rules, but the regulator will ask if you did enough if you found a breach of those rules and, if not, will go after you. That’s what happened with Standard Chartered and HSBC. The head of compliance for HSBC told me that he had been aware of the exposures in Mexico well before they came to light. He reported it and recommended that the bank change approach. However, the Latin American management team were making good profits and ignored the advice.
So it’s that balance between culture and rewards, risk and reputation, control and cost that all fed into the mix of having an effective financial crime unit. But there are some things that are starting to change the game. For example, KYCExchange allows clients to enter their KYC data into one central hub that is then shared with all relevant entities. This means that you don’t need to enter KYC with every counterparty globally but just once, and it’s shared on request and updated through the cloud as anything changes. SWIFT is developing something similar to the KYC Exchange.
But the core of all of this really is identity, which is the New Money. It’s identity that is at the core of KYC and if you have effective digital identity management then the policing of financial crime should become much easier.
Mr. Skinner is chairman of the Financial Services Club, CEO of Balatro Ltd., comments on the financial markets through his blog the Finanser, and is the author of Digital Bank. He can be reached at [email protected].