The war on money laundering is going the way of the war on (some) drugs

In a study published last year by financial-crime expert Ronald Pol, he concluded that the global AML system could be “the world’s least effective policy experiment”. Personally, I would have guessed that that accolade belonged to the global war on (some) drugs, but perhaps Ronald has a point. He notes that the compliance costs for banks and other businesses could be more than 100 times higher than the amount of laundered loot seized.

Urine

Cash or charge? (CC-BY-ND 4.0)
NFT available direct from the artist at TheOfficeMuse (CC-BY-ND 4.0)

These comments remind me of those of Rob Wainwright, then Director of Europol, when talking about the great success of the continent’s $20 billion per annum anti-money laundering regime. He said that “professional money launderers are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate”. This concurs with the figure given in The Economist. Although we are only intercepting a miserable one percent of the dirty money, the costs that the regime impose on the finance sector are staggering. Yet these enormous costs achieve nothing. The Money Laundering/Terrorist Financing (ML/TF) regime is, according to the Journal of Financial Crime 25(2), “almost completely ineffective in disrupting illicit finances and serious crime”. 

Direction of Travel

It’s going to get worse, of course. In the UK, many organisations are not yet compliant with the EU’s Fifth Anti-Money Laundering Directive (5MLD) and there is a Sixth Anti-Money Laundering Directive (6MLD) on the way. And the reach of the Financial Action Task Force (FATF) is being extended into cryptospace, so there’s no way to get round the bureaucracy. A couple of years ago FATF extended their recommendations to include cryptocurrency exchanges and wallet providers (together referred to as Virtual Asset Service Providers, or “VASPs”). This meant that all countries should apply anti-money laundering and anti-terrorist financing controls to these businesses: that is, customer due diligence (CDD), suspicious activity reports (SAR) and, importantly, the “Travel Rule” that aims to prevent money laundering by identifying the parties to a transaction when value over a certain amount are transferred. 

The decision to apply the same travel rule on VASPs as on traditional financial institutions was greeted with some dismay in the cryptocurrency world, because it meant that service providers must collect and exchange customer information during transactions. The technically non-binding guidance on how member jurisdictions should regulate their ‘virtual asset’ marketplace included the contentious detail that whenever a user of one exchange sends cryptocurrency worth more than 1,000 dollars or euros to a user of a different exchange, the originating exchange must send identifying information about both the sender and the intended recipient to the beneficiary exchange. The information must also be recorded and made available to “appropriate authorities on request”.

However, when speaking at the “V20 Virtual Asset Service Providers Summit” in 2020, Carole House from the Financial Crimes Enforcement Network (FinCEN) said that they want to see this threshold reduced to $250 for any transfers that go outside the US because their analysis of SARs filed from 2016 and 2019 showed the mean and median dollar values to be $509 and $255 respectively. Almost all the transactions began or ended outside the U.S.

Note that the information demand is quite extensive. According to the FATF Interpretive Note to Recommendation 16, the information should include name and account number of the originator and benefactor, the originator’s (physical) address, national identity number (or something similar) or date and place of birth. In essence, this means that counterparty’s personal information will sent around the web. Simon Lelieveldt, a former Head of Department on Banking Supervision at the Dutch Central Bank, is very well-informed and level-headed about such things, and even he called this a “disproportional silly measure by regulators who don’t understand blockchain technology”, which may be a little harsh even if not too far from the truth.

Surely the extension of the travel rule signals that it is time for a rethink. We need to begin with the fact that live in a world of data science, machine learning and artificial intelligence (AI) and understand that we cannot tackle crimes such as money laundering without machine brains to help us. This line of AI-centric thinking can be more disruptive than might seem at first glance because it suggests an alternative vision of regulation where we do away with a lot of the expensive barriers to entry to the financial system, those pot holes for criminals but chasms for legitimate users and instead use machine brains to police what is happening inside the system.

AML Isn’t Working

In other words, instead of trying to prevent criminals for getting in to the system, we should instead let them in and monitor what they are up to. If we force them to continue using cash, then we have no idea what they are up to! Whereas if we can persuade them to use electronic transactions of some kind, particularly those that leave an immutable record of criminality, then we would would actually be better off! Since cash cannot be tracked around the economy, we (society) have put in place a whole bunch of complicated and expensive rules about accounting for cash when it enters the financial system. But suppose there wasn’t any cash. Suppose there was only Bitcoin. In that case, as I pointed out some time ago, you wouldn’t need anti-money laundering (AML) regulations at all because you would be able to follow every coin around the blockchain!

Many observers, and Bitcoin fans in particular, say that this is nonsense because there are a variety of ways to jumble up and otherwise obfuscate the sources of value in transactions on the Bitcoin network. I never saw this as a realistic barrier to criminals though, and I noted that a simple rule that required banks to investigate any coins that had originated in anonymous wallets (or mixers) would be sufficient to stop the large-scale use. Also, you will remember that U.S. Department of Justice (DoJ) has already shown its intentions. You will remember they indicted Larry Harmon for creating the Bitcoin mixer “Helix” (in addition, Fincen fined him $60m last year) and have just arrested Roman Sterlingov, the alleged operator of Bitcoin Fog, a custodial bitcoin mixer that it says processed over 1.2 million BTC.

We erect (expensive) KYC barriers and then force institutions to conduct (expensive) AML operations, using computers and laser beams to emulate handwritten index cards and suspicious transaction reports (STRs). But as I have suggested before, suppose that KYC barriers were a lot lower so that more transactions entered the financial system. And suppose the transaction data was fed, perhaps in a pseudonymised form, to a central AML factory, where AI and big data, rather than clerks and STR forms, formed the front line rather than the (duplicated) ranks of footsoldiers in every institution. In this approach, the more data fed in then the more effective the factory would be at learning and spotting the bad boys at work. Network analysis, pattern analysis and other techniques would be very effective because of analysis of transactions occurring over time and involving a set of (not obviously) related real-world entities.

They have already taken a step towards this is in the Netherlands, where ABN Amro, ING, Rabobank, Triodos Bank and de Volksbank formed a consortium (Transaction Monitoring Netherlands, TMNL) to share data and identify unusual patterns in payments traffic that the individual banks cannot spot for themselves. Let’s hope they are successful, because estimates suggest that €16 billion of criminal money is laundered in the Netherlands each year from activities including drugs, human trafficking, child pornography and extortion.

British Opportunity

Michael Harris, director of financial crime compliance at LexisNexis Risk Solutions, commented that the release of the FinCEN files highlighted the “myriad issues” with the UK Anti-money laundering (AML) system – an ineffective suspicious activity report (SAR) regime, the poor use of data and technology and a legal system that inhibits information sharing and a culture that allows companies to hide their beneficial owners through offshore registered entities. There are other related negative impacts too: I remember a discussion with the then-Treasury minister Andrea Leadsom at techUK back in 2015, during which she noted that CDD is itself a friction against a more competitive financial services sector because it serves to create a moat around the larger incumbents.

I think that UKplc should rethink compliance for competitive advantage. As part of a post Brexit project to boost British invisibles, we should take jurisdictional competition seriously and create a compliance regime built on new technology not and industrial age mishmash of shaky identification documentation and millions of suspicious transaction reports. It is time for some new thinking. Omar Magana wrote a very good piece of this for the Chartwell “Compass” magazine. He asked whether “the enforcement of a regulation that was created over 20 years ago for a fast-evolving industry, may not be the best approach”. Note that he is not arguing against regulation, he is arguing (as I do) for a form of regulation more appropriate for our age (for which I use the umbrella term “Digital Due Diligence”, or DDD) using artificial intelligence and machine learning to track, trace and connect the dots to find the bad actors. If you look at the work of Chainalysis and others

The benefits to the wider economy are obvious – more access to financial services as well as more interdiction of actual money launderers, terrorists, corrupt politicians and tax evaders. We all know that COVID-19 is accelerating the evolution of digital onboarding, and that’s great. But we need to move to the next level: DDD! Now that we live in a world where digital identity is becoming a thing (both for people and for organisations) it’s time to plan for a faster, more cost-effective and more transparent approach that is based on the world we are actually living in.

(This is an edited version of an article first published on Forbes, 3rd May 2021.)

Follow the e-money

A couple of years ago I remember going to see ComplyAdvantage to make a podcast with them. I thought the new category of regtech was interesting and that the potential for new technologies in that space (eg, machine learning) was significant, so I went of off to learn some more about and talk to a few organisations to test some hypotheses. I remember thinking at the time that they were good guys and on a good trajectory and it looks as if my opinion was well-founded (they are doubling in size this year).

Anyway, I was thinking about them because they recently sent me a new white paper “A New Dawn for Compliance” (which notes that an estimated $2 trillion is laundered globally every year and only 1-3% of these funds are identified and possibly stopped) and it nicely encapsulated something that has been touched on in a fair few conversations recently: there’s no way to hire ourselves out of the compliance mess we’re in. Even if financial services and other businesses had infinite compliance budgets, which they most certainly do not, it’s simply not feasible to hire enough people to keep up. Even if there were infinite people with expertise in the space, which there most certainly is not, bringing them on board is too time-consuming, too expensive and too inflexible to create a compliance infrastructure that can respond the new environment.

Technology is the only way out of this.

Using technology to automate the current procedures is, as always, only a small part of the solution. The UK Financial Intelligence Unit (UKFIU) receives more than 460,000 suspicious activity reports (SARs) every year (according to the National Crime Agency), yet fraud continues to rise.

Moreover as Rob Wainwright (head of Europol) pointed out last year, European banks are spending some €20 billion per annum on CDD with very limited results. In fact, he said  specifically that  “professional money launderers — and we have identified 400 at the top, top level in Europe — are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate”. This is not even a Red Queen’s Race, it’s a Formula 1 of crime where the bad guys are ahead and we can’t overtake them.

The Fifth Anti-Money  Laundering Directive (AMLDV) which comes into force in 2020 will, I predict, do nothing to change this criminal calculus. AMLDV will cost organisations substantially more than its predecessors and these costs are out of control. According to a 2017 whitepaper written by my colleagues at Consult Hyperion, KYC processes currently cost the average bank $60m (€52.9m) annually, with some larger institutions spending up to $500m (€440.7m) every year on KYC and associated customer due diligence (CDD) compliance. In the AMLDV era we will look back with nostalgia to the time when the cost of compliance were so limited.

It’s time for a rethink.

We need to re-engineer regulators and compliance to stop implementing know-your-customer, anti-money laundering, counter-terrorist financing and the tracking of politcally-exposed persons (let’s lump these all together for the sake off convenience as Customer Due Diligence, or CDD) by building electronic analogues of passport and suspicious transaction reports and so on. In a world of machine learning and artificial intelligence, we need to invert the paradigm: instead of using CDD to keep the bad guys out of the system, we should bring the bad guys into the system and then use artificial intelligence and pattern recognition and analytics to find out what the bad guys are doing and then catch them!

Surely, from a law enforcement point of view, it’s better to know what the bad guys are up to? Following their money should mean that it is easier to detect and infiltrate criminal networks and generate information that the law enforcement community can use to actually do something about the flow of criminal funds. In any other financial services business, a success rate of 1% would call into the question the strategy and the management of the business

An island of artificial intelligence

As I’ve written many times (e.g., here), it is difficult to overestimate the impact of artificial intelligence (AI) on the financial services industry. As Wired magazine said, “it is no surprise that AI tops the list of potentially disruptive technologies”. With Forrester further forecasting that a quarter of financial sector jobs will be “impacted” by AI before 2020, there’s an urgent need for the island begin to think about the next generation of financial services and begin to formulate a realistic strategy not only to copy with the changes but to exploit them. It is because the need is so urgent that I was delighted to be asked to give a keynote at the Cognitive Finance AI Retreat in September (Which began with a beach barbecue, something I recommend to conference producers everywhere.)

Beach BBQ

A beach barbecue is always a good idea at a conference.

The event was put together by my good friends at Cognitive Finance working with Digital Jersey (where I am advisor to the board) and they did a great job of bringing together a spectrum of both subject matter experts and informed commentators to cover a wide variety of issues and provide a great platform for learning.

On the first day of the event, political economist Will Hutton emphasised that financial services will be at the “cutting edge” of the big data revolution, pointing out that not only does the sector hold highly personal, highly valuable data about individuals, but that it has more complex oversight requirements than most other sectors.

Clara Durodie, CEO of Cognitive Finance Group kicked off the event by talking about the potential for AI to help to manage the colossal flows of data that characterise the financial sector today and I think she was right to highlight that the use of the technologies presents tremendous opportunities here.

In his superb “Radical Technologies, Adam Greenfield wrote of the advance of automation that many of us (me included, by the way) cling to the hope that “there are some creative tasks that computers will simply never be able to peform”. I have no evidence that financial services regulation will be one of those tasks, so in my talk I suggested AI will be the most important “regtech” of all and made a few suggestions as to how regulators can plan to use the technology to create a better (that is faster, cheaper and more transparent) financial services sector. The strategic core of my suggestion was that jurisdictional competition to create a more cost-effective financial services market might be a competition that Jersey could do well in.

AI as Regtech

Regulation, however, was only one the topics discussed in a fascinating couple of days of talks, discussions and case studies. The surprise for me was that there was a lot of discussion about ethics, and how to incorporate ethics into the decision-making processes of AI systems so that they can be accountable. I hadn’t spent too much time thinking about this before, but I was certainly left with the impression that this might be one of the more difficult problems to address and talking with very well-informed presenters. Listening to experts such as Dr. Michael AikenheadKay Firth-ButterfieldDr. Sabine Dembrowski, Andrew Davies and many other leading names in finance and AI left me energised with the  possibilities and intrigued by the problems.

AI is an event horizon for the financial services industry. With our current knowledge, we simply cannot see (or perhaps even imagine) the other side of the introduction of true AI into our business. But we can see that our traditional “laws” of cost-benefit analysis, compliance and competition will not hold in that new financial services space, which is why it is important to start thinking about what the new “laws” might be and how the financial services can take advantage of them.