FinTech and the New Frontier in the Fight Against Modern Slavery

On 31st January 1865 the US House of Representatives passed the 13th Amendment to the Constitution of the United States of America. Spearheaded by President Abraham Lincoln, it put an end to the most heinous blemish on the face of human history, and followed in the footsteps of such legislation as the 1833 British Slavery Abolition Act and the 1848 French second abolition act, abolishing slavery and involuntary servitude. Abolition in the USA represented the culmination of the career of one of the world’s most tenacious and revered leaders, and marked the final end to a bloody internecine conflict between North and South in the form of the US Civil War. To know that a modern reprise of slavery and human trafficking continues to blight vulnerable populations across the globe to this day, despite the practice being illegal in every country in the world, would likely have Honest Abe turning in his grave. To know that Southeast Asia and APAC more broadly represent a hotbed of such activities, a predicate money laundering offence, should leave readers in the region feeling somewhat discomfited. 

Source: ILO & Walk Free Foundation, 2017 and ILO, 2012.

Source: ILO & Walk Free Foundation, 2017 and ILO, 2012.

The Liechtenstein Initiative for a Financial Sector Commission on Modern Slavery and Human Trafficking defines modern slavery as a “non-legal umbrella term, encompassing several forms of severe exploitation, including forced labour, forced marriage, servitude, debt bondage and human trafficking”. Human trafficking itself can be further defined as the recruitment, transfer, or obtaining of an individual through coercion, abduction, fraud, or force in order to exploit them. Exploitation can come in the form of anything from low-paid migrant workers to commercial sex work. The exploiter can be anyone, including strangers, neighbours, or even family members. In depth joint research by the International Labour Organisation and Walk Free foundation into global estimates of modern slavery indicate that over 40.3 million men, women, children experienced one or more forms of modern slavery exploitation in 2016; equivalent to one in every 185 people globally. Modern slavery is estimated to generate over $150 billion in profits every year and is on the rise. Between 2012 and 2016, global modern slavery increased by over 40%. This increase could possibly be attributed to increased awareness and as such increased reporting of the issue.  Asia accounted for $50 billion of this total, due in part to its high number of victims and high profits per victim.

Source: ILO & Walk Free Foundation, 2017 and ILO, 2012.

Source: ILO & Walk Free Foundation, 2017 and ILO, 2012.

More than a third of the proceeds of modern slavery are generated in developed countries. The developed vs. undeveloped country split emanates as a result of the fact that slavery risks are broadly higher in poor and developing countries than in wealthier, developed countries. They are higher for marginalised and excluded groups, including women, girls, low-caste individuals, refugees, those displaced by disaster and conflict, and migrant workers. Risks are higher for low-skilled workers than skilled workers, for those with lower education levels, and the vulnerable unbanked; all prevalent factors in Asia.

Source:  **Substantial gaps in data


**Substantial gaps in data

Statistics compiled by Global Slavery Index (GSI) in 2016 estimate that modern slavery in Asia accounts for around 62% of the global total. The APAC region has the second highest prevalence of modern slavery in the world, with 6.1 per instances per 1000 people. GSI found that APAC had a high prevalence of forced labour (4.0 per 1000 people) and forced marriage (2.0 per 1000 people) compared with other regions. APAC also had the highest number of victims across all forms of modern slavery, accounting for 73% of victims of forced sexual exploitation, 68% of those forced to work by state authorities, 64% of those in forced labour exploitation, and 42% of all those in forced marriages. As highlighted in the above table, Southeast Asian countries feature high up on GSI’s rankings, with Cambodia in fourth place. Cambodia’s construction boom, fuelled largely by Western property firms funded by global banks, has seen a concurrent rise in the rates of debt-bonded labour in the country’s brick making industry. Myanmar sits at seventh in the rankings, Brunei Darussalam at eighth, and Laos, Thailand, and the Philippines in tenth, eleventh, and twelfth place respectively. Many will be surprised to see our own little red dot Singapore place 20th on GSI’s list.

Slavery is illegal in every country in the world, and by 2018 more than 170 countries had made firm public commitments to eradicating it, however only 122 had criminalised human trafficking in line with the UN Trafficking Protocol, and only 38 countries had criminalised forced marriage, according to GSI figures. In Singapore, the main legislation targeting modern day slavery is the Prevention of Human Trafficking Act 2014 (PHTA), which criminalises forced labour, and sex labour trafficking. In addition, it should be noted that human trafficking is a predicate crime of money laundering (a predicate offence is a crime that is a component of a more serious crime). Unlike other landmark global anti-slavery legislation such as the UK Modern Slavery Act 2015, and the Australian Modern Slavery Act (effective from 1st January 2019) however, Singapore’s PHTA does not contain a reporting requirement for corporates. Governmental and legislative pressure to report could be usefully applied in Singapore’s financial industry. The continued proliferation of modern slavery is irrevocably and inextricably correlated to the financial system and the ability to illegally launder proceeds through it. While the Financial Action Task Force (FATF) itself expressed the view that greater exposure to financial systems by both victim and perpetrator increases the opportunities for identifying money laundering as a result of modern slavery, unchecked and unbridled access, while reducing undetectable cash intensive transactions, may also facilitate rampant growth in modern slavery. 

In its first secretariat briefing paper the Liechtenstein Initiative highlights the role that financial innovation played in the abolition of slavery in the UK in the 1800s. Abolition was only possible because of an arrangement in 1834 comprising what was then the largest syndicated loan in history, to the British government, to finance compensation packages; regrettably not to slaves, but rather slave owners. The loan was equivalent to a staggering 40% of Britain’s national public expenditure at the time. The last interest on this loan was only finally repaid in 2015. Although the role of the private sector in combatting modern slavery will take a different, 21st century form, its clear that FinTechs can play a major part. 

We can draw striking parallels with British 19th century financial innovation in the abolition of chattel slavery with the role that financial innovation through FinTech must play in the fight against modern slavery in Asia. Not only because FinTechs such as e-payment firms and virtual banks represent today’s pioneering innovators, but also for reasons of financial inclusion. Major consumers of the FinTech revolution in Southeast Asia will be those populations of unbanked individuals in developing countries such as Cambodia and Laos. It is logical to suggest that those countries where modern slavery is prevalent are also those where financial inclusion rates are low because not having acess to the formal financial system limits formal emplpoyment opportunities. These populations are therefore those most at risk of falling victim to loan sharks and ultimately becoming victims of modern slavery as a result of debt-bonded labour. For the FinTech world to meaningfully lead the fight against modern slavery, firms must be aware of the financial crime risk faced by their enterprises, identify thematic risk typologies specific to the Southeast Asia region, and apply commensurate AML measures to their businesses. 

The onboarding process can play a critical role in flagging this typology. A close inspection of the ‘selfie’ can highlight victims of abuse and those being coerced. Whilst this typology is particularly difficult to monitor as it involves multiple people, varying operating schemes and geographical locations, there are a number of ‘red flags’:

  • Victims' accounts - these tend to show lots of transactions from unrelated individuals in, and then the majority of funds moved out to a single point of the contact (essentially, the gang leader)

  • Gang leader accounts - these accounts tend to show lots of transactions to travel companies.

  • The funds are typically in the form of cash and therefore the methods used to launder the illegal proceeds often include cash deposits e.g. with structuring pattern. 

  • Transactions may also appear to be related to loans or family support (usually victims will try to remit any funds to their families), which may be identified as significantly smaller cross-border transfers when compared to other migrant employees. 

  • Alternatively, victims may send funds to criminals stating these are family remittances. 

  • There might be multiple transactions on a criminal’s account related to accommodation, travels and the basic daily expenses of victims, appearing in transactions as details of unrelated individuals.

FATF have provided detailed guidance concerning financial crime risk typologies applicable to modern slavery. A key risk typology for Southeast Asia’s FinTechs to consider is sector and industry. Verité for example has developed a Forced Labor Commodity Atlas, which highlights commodities that are linked to human trafficking and modern slavery in global supply chains, such as cocoa, palm oil, sugar and cotton. Both palm oil (Indonesia, Malaysia, Thailand) and cotton (APAC is the largest producer of cotton in the world), are industries in relation to which FinTechs should exercise caution when considering modern slavery risk factors in the customer risk assessment. At an individual level, FATF guidance has suggested that no one indicator alone is likely to confirm money laundering from modern slavery and human trafficking. Wider contextual information may be the key to identifying both victims and perpetrators e.g. passport information, utility information (or lack of it), and non-traditional indicators such as financial data, social media activity, biometric information. Innovative means of meeting customer due diligence requirements could provide wider benefits for detection of modern slavery in this regard. 

Analysis at the individual level is important in the Southeast Asian financial crime context. As mentioned above, much of the region’s FinTech growth will come as a result of financial inclusion, bringing the most poor and vulnerable into the financial system. FATF’s Financial Flows from Human Trafficking report notes that the analysis to date has uncovered patterns primarily at the level of interaction between the sector (up until now typically banks) and victims, rather than at higher levels of trafficking organizations. Examples of such interactions might be: handling, and lending migrant workers money to pay improper recruitment fees; lending funds for visa purchases to people that, upon arrival in the new country on those visas, are forced into commercial sexual exploitation; operating credit cards, debit cards, and bank accounts in the name of victims of commercial sexual exploitation that are in fact controlled by recruiters and managers; facilitating transfers from illicit massage businesses to related businesses (restaurants, grocery stores, dry cleaners), which are used to launder the proceeds of crime; and operating the conversion of virtual currencies such as Bitcoin, used in illicit commercial sex businesses, to fiat currency.

The ability of FinTechs to effectively detect and manage modern slavery risks will also require cooperation from the region’s financial regulators who must understand the bigger picture at play. Over-zealous mass AML de-risking (terminating customer accounts) under regulatory pressure may actually increase the overall level of modern slavery in the region. As the Liechtenstein Initiative paper outlines, mass de-risking may push jettisoned business into informal illicit financing arrangements. It may also hinder financial inclusion, especially where financial institutions terminate correspondent banking relationships, which allow local banks to gain access to foreign financial markets and carry out cross-border transactions. Terminating these relationships may have a particularly negative impact on migrant worker remittances, pushing them out of the formal sector into the informal, cash intensive channels, where workers may be exposed to greater risks of exploitation.

Modern slavery not only exists but is on the rise. Asia remains a hotbed of modern slavery, particularly in Southeast Asia where higher risk commodities, an established commercial sex industry, a construction and development boom, and reliance on cheap migrant labour creates a macroenvironment conducive to nefarious actors. Despite slavery being illegal in every country in the world, human trafficking remains largely un-criminalised, and international legislation is either too recent to ascertain the success of its application (for example Australia’s 2019 Modern Slavery Act), or may be too limited in scope to facilitate meaningful change at a corporate level (e.g. Singapore’s PHTA). The role of the financial sector is therefore paramount – particularly FinTech. Although bringing more of the world’s population into the traditional financial system will as FATF suggests create more opportunity to detect both perpetrators and victims of modern slavery, this holds true only when effective AML measures are applied. Modern slavery will be best detected at the individual level and Southeast Asia’s FinTechs seeking to capitalise on regional financial inclusion of the most vulnerable will lead the charge in this regard. The region’s FinTechs will require cooperation from financial regulators, and the MAS in Singapore for example must give firms adequate breathing room to assess factors such as labour conditions in their corporate customers value chains, and familiarise themselves with Southeast Asia specific individual risk typologies, rather than knee jerk de-risking, which may serve to only exacerbate the problem.

Tackling Vulnerability: How to Increase Financial Inclusion While Also Championing Anti-Financial Crime

The Financial Inclusion/Financial Crime Nexus

Through our work in anti-financial crime (AFC), we’ve witnessed firsthand how FinTechs have been able to utilise new technologies in order to support traditionally underbanked customers - from international students to migrant workers. In this arena, FinTech leadership is absolutely necessary - nearly 2 million people in the UK are still considered financially excluded. And sadly, this isn’t the full picture; the under-banked, who don’t have access to the full range of financial resources and support, are also cause for greater efforts toward inclusivity. In the US, for example, where the unbanked population is around 6%, nearly another 20% is considered “underbanked,” indicating the scale of this problem. 

Reporting from the FCA directly connects the financial exclusion of the unbanked and underbanked to the wider issue of vulnerable customers. Nearly half of people in the UK display one or more characteristics of vulnerability, such as mental or physical health difficulties or financial debt or distress. Vulnerability clearly can harm an individual’s capacity to navigate financial services. Without financial knowledge and support, a backbreaking cycle may develop, where financial anxieties worsen existing vulnerabilities, increasing the likelihood that someone is pushed further and further from the traditional financial ecosystem.

In July, the FCA published guidance for consultation on the treatment of vulnerable customers. This guidance aims to help firms better understand vulnerable customers, ensure their staff have the skills to engage and support vulnerable customers and build their products, services and processes to be more inclusive. We at FINTRAIL are impressed with the steps the FCA is taking to tackle this issue head-on, by providing clearer expectations, recommendations and examples of best practice. 

With that said however, the guidance offers limited discussion around the intersection between vulnerability, financial inclusion and AFC efforts. This comes in spite of strengthening AFC efforts that, while designed to prevent criminals from exploiting and profiting off of victims, may unfortunately disadvantage some vulnerable individuals as well. For instance, customers who have had their identities stolen whose names have been added to fraud databases may struggle to get access to financial products - especially if they don’t know their identities have been stolen. Customers could also fall victims to common financial crime scams, such as romance fraud or authorised push payment fraud, or could be manipulated into becoming money mules - unaware that their actions are actually money laundering. Another example to consider comes from the 5th anti-money laundering directive (5MLD), which will reduce the threshold for applying simplified due diligence on prepaid card customers from €250 to €150 - making it more difficult for many financially excluded individuals to access one of the key financial products they rely on.  As we near the close of the FCA’s consultation period on October 4, here are a few of our impressions of how we can improve financial inclusion while also championing best practice in our AFC controls. 


For FinTechs onboarding a customer, we often see the use of electronic address verification and selfie + ID matching used to facilitate a smoother onboarding process. While selfie + ID matching can sometimes help firms identify vulnerable customers through visual indicators (e.g. evidence of coercion or injury), both tools can still struggle to identify or verify types of vulnerable people. For instance, someone fleeing domestic violence may not have access to their standard documentation or have proof of address. A recent immigrant to the UK may struggle due to poor language skills to understand the requirements for onboarding and again may not pass an electronic address check, by not being on the electoral roll. Young customers from financially disadvantaged backgrounds may not have a passport or a driving licence. A customer with mental or physical health disabilities may have someone assisting them in onboarding, such as helping them take a selfie, which could look suspicious. 

Aside from requesting additional pictures of ID or proof of address documents, small-to-medium sized FinTechs may not have a specific, codified response for how to deal with a customer who fails their initial attempt at onboarding, which can lead to genuine customers who lack ID for legitimate reasons being de-risked. JMLSG provides some useful information on how best to formulate your approach, to ensure you maintain a risk-based approach while also practicing financial inclusion. For instance, other documentary evidence could be beneficial - such as a social services letter, confirmation of studies letter or evidence of an asylum application. Many FinTechs already use data about their customer as well as data from their customer - and a mix of data on the customer’s online presence, email address and phone number can support decisions not only on a customer’s genuineness but also their vulnerability. Whether due to the additional steps needed to verify identity or due to overlapping factors between vulnerability and financial crime risk (e.g. high levels of debt), it may be useful to apply enhanced transaction monitoring controls to customers, even if you do onboard them. We’ve already seen FinTechs taking steps to this, such as with customers engaging in gambling, so it would be great to see these efforts pursued even further within the sector. 

Transaction Monitoring

FinTechs and other financial institutions typically engage in transaction monitoring tools that are designed to spot unusual customer behaviour. However, what could be unusual for a standard customer may be normal behaviour for a more vulnerable customer with non-standard needs. For example, vulnerable customers may be prone to sudden, impulsive purchases, unusual or large-value payments to legal firms or health suppliers, confusing financial patterns designed to repay debts or atypical rent agreements. Thus, it is important to consider vulnerable customers not only when evaluating alerts but also when designing rules. While no two customers are the same, transaction monitoring tools, especially those relying on machine learning, should be calibrated with an eye to avoiding false positives related to vulnerable customers. This may be difficult to fully achieve given the relatively small customer base of many FinTechs, but at least considering vulnerability indicators when working on rules and calibration is a good place to start. FinTechs may also want to consider allowing their customers to set their own behavioural flags, such as for gambling, binge drinking or shopping sprees. FinTech products like Toucan have been spearheading developments in this area. Within their platform, customers can link their bank accounts and set up personalised vulnerability rules and thresholds that can also trigger a general message to a “trusted ally,” who may be able to contact the vulnerable customer and check in on their overall health. 

One requirement under the FCA’s new guidance is for firms to take a ‘proactive approach to understand the nature and extent of vulnerability’ within existing customer bases. FinTechs could engage in best practice to abide by this expectation by designing rules tailored to specific patterns of behaviour indicating vulnerability, generating a ‘soft stop,’ or a flag that is retroactively reviewed. These flags could be assigned to a person or team responsible for identifying and understanding vulnerability, and the results of the exercise could then be used to help tailor and refine rules that better separate the vulnerable from the suspicious. Vulnerable customers who may have had their accounts taken over or who may be victims of authorised push payment fraud should still face ‘hard stop rules,’ however, to prevent money from being laundered.


The FCA guidance provides strong recommendations on ensuring staff are trained in how to deal with potentially vulnerable customers. This is especially a concern when investigating or speaking to a customer who is suspected of financial crime. For a lot of FinTechs, there are two types of outreach to customers that can be used for financial crime-related investigations - automated messaging from robo-advisors and manual messaging from a live human. In the case of automated messaging, the FCA gives examples of how robo-advisors have been set up to help detect potential flags for vulnerability (e.g. detecting speed to type or respond); this can potentially be expanded into the financial crime investigation space to ensure customers demonstrating signs of vulnerability receive more tailored messages and where necessary, are escalated to a human.

For messaging done by a person, it is imperative that front-line customer relations and compliance staff receive training on how to handle vulnerable customers, as the FCA suggests. However, this training must be especially precise in the financial crime space, to prevent tipping off. Another concern that we have noticed is customers who are genuine fraudsters pretending to be vulnerable in order to play on the sympathies of front-line staff and financially benefit, such as through having their account unblocked. If you’re front-line staff, it is best to ensure you have a positive but firm stance when interacting with customers and be wary of how known or suspected criminals may try to influence you. 


As much as we wish that it was easy to draw clear lines between vulnerable customers and  suspicious customers, the waters are undeniably murky. Only through robust efforts can we truly understand the nature of our customers and build meaningful solutions to support those who are vulnerable while preventing the exact sort of suspicious customer that causes vulnerability. Here are a few steps you can consider taking today to help manage financial inclusion going forward:

  1. Consider defining more specific approaches regarding vulnerable or potentially vulnerable customers, particularly in relation to customer due diligence, customer interaction and transaction monitoring. This should be even more robust for FinTechs specifically targeting the financially excluded. A good approach should start with the identification and confirmation of the customer’s vulnerability - ask yourself,  is there a good reason they wouldn’t have the documents required for onboarding or would be transacting this way? 

  2. Once vulnerability has been identified, there should be clear escalation channels,  training for front-line staff on engaging with vulnerable customers for KYC, as well as defined expectations around supplementary documents and enhanced monitoring where required.

  3. Consider designing transaction monitoring rules with ‘soft stops’ to help identify patterns of behaviour for vulnerable customers, as part of your proactive approach to understanding vulnerability indicators on your platform and as part of your efforts to distinguish vulnerable from suspicious.

  4. Tailor automated outreach messaging tools to detect signs of vulnerability and to escalate potential cases of vulnerability to trained human staff. Ensure all robo-advisor communication is friendly, respectful and easy to understand.

  5. Ensure front-line staff training not only encompasses how to deal with vulnerable customers, but how to avoid tipping off and how to handle customers that may fake vulnerability to financially gain. 

The FCA consultation ends soon. Click here if you want to provide your opinion directly. Or if you want to discuss these issues more and work to make your AFC controls support financial inclusion, contact the team at:

Risk appetite: how hungry are you?

Anyone who has spent any time with the team at FINTRAIL will attest to the fact that we are passionate about anti-financial crime and how you balance effective controls with a great customer experience. To achieve this, we believe that setting a well considered financial crime risk appetite is critical. It is an often neglected area but something we think is vital for companies looking to scale their offering. In this piece we are going to explore what we mean by a financial crime risk appetite and how to use it.

What is it and why is it important?

A risk appetite sets out how much risk a firm is willing to take in a given area.  Ideally a risk appetite should align with the firm’s risk-based approach, and this is particularly pertinent  regarding financial crime. A risk appetite statement will allow firms to define boundaries at the early stages of a new business or product as it allows you to target your resources in line with your risk-based approach; it will also allow you to identify whether you are in or outside of the firm’s appetite, which is a key foundation to implementing a risk-based approach. If you would like more information on having a risk-based approach and how that is implemented into financial crime frameworks, have a look at our Risk Assessment blog post here.

A well defined risk appetite enables you to scale your financial crime operations effectively and removes some of the challenge that can be associated with subjective decision making. For example, what customer behaviours or industries are outside your business appetite? If this is clear, as you scale rapidly, you can operationalise controls to identify the activity and take prompt action to resolve it when it is outside of your risk appetite. Rather than spending time debating whether each individual customer or transaction it is or isn’t within your appetite, the decision has already been made at a firm/business level and therefore all operations have to do is execute the required action.

Risk Appetite Statement:

Firms take different approaches when writing their risk appetite statement. At FINTRAIL, we have found that a combination of a header statement of intent, aligned to quantified risk indicators from management information (MI) tends to prove most effective. We give a few examples of this below.

A risk appetite statement may look like:

“Bank ABC has a zero tolerance to financial crime and sanction breaches.”  

Although we would all like to see zero occurrences of financial crime, this statement is not realistic and will likely mean that the business is constantly operating outside of its risk appetite. The statement also does not provide any data or metrics useful in gauging success, or details about the financial crime risk that is seen within the business. For a more useful risk appetite statement, businesses could include the number of AML, fraud, tax evasion, corruption cases it will accept, the number of high risk customers/transactions processed or any industries it does not want to work with and any other relevant areas where MI is recorded.  

So for example this statement would be better written as:

'“Bank ABC has zero tolerance for sanction breaches”.

Bank ABC has a low tolerance for financial crime risk. Based on the risk assessment and risk-based approach, the group is operating within the risk appetite below:

Money laundering

Internal suspicious activity reports reviewed within 24 hours

Monthly total of funds subject to an external suspicious activity report not to exceed 3% of the total volume

Tax Evasion

Transactions to or from high risk tax jurisdictions not to exceed 20% of total transactions 


No more than 10 staff over 30 days overdue for online anti-bribery and corruption training

Examples of financial crime risk indicators:
Internal and external suspicious activity or suspicious transaction reports are a great place to start. As shown above, if a business categorises their reports into the core financial crime threats of money laundering, terrorist financing, fraud, tax evasion, corruption and sanctions they will have good data points on their main financial crime risks. By using these risk indicators and assessing your exposure to these risks through your risk assessment and MI, you will be able to effectively see if you are operating outside of your risk appetite and should look to mitigate or accept the risk.

A more mature business may look to set a risk appetite for the percentage of high risk customers it accepts or how many high risk transactions it processes, although financial inclusion should be carefully considered here as limiting the number of customers in or transactions to certain jurisdictions could negatively impact particular customer groups. Customers may fall outside of a business’s risk appetite, be it through their behaviours or the cost of safely managing the risks and requirements posed by that customer type. For example, certain industries may be off-limits, and if a client refuses to provide information or documentation, the business relationship may be terminated. 

Backlogs can represent as big of a risk to financial crime exposure and suggests that a framework is either under resourced or not efficient. If a FinTech is continuously operating from a backlog that continues to grow, they will be unable to manage the operational processes that exist to help mitigate financial crime risks. If a business sets a risk appetite for outstanding processes such as sanctions screening, transaction monitoring alerts or SAR filing, they will know when any backlogs exceed their risk appetite. This will give the firm a clear indication that there is a need for better efficiency or further resource.

For new products or new business lines, a firm should consider setting an initial risk appetite to manage any new risks and monitor financial crime levels as they establish a control environment. This could include limits on transactions, such as cash deposits, or limits on the amount or type of customers onboarded. These appetite statements can and should evolve over time as the firm starts to understand where the major risks lie and what behaviours they are able to tolerate and manage, and which they are not.

Our Recommendations

  • Set a risk appetite early in your journey, and if you are a mature business without a risk appetite, set one now, and use your data to determine whether you have been operating within it.

  • Work with your senior management team to set your risk appetite limits.

  • Link your risk appetite to your risk assessment.

  • Quantify your risk appetite using reliable data points.

  • Consider how you then practically implement your tolerance to risk into your wider financial crime framework

  • Communicate your financial crime risk appetite so the business knows what is and what is not acceptable. 

  • Assess and escalate scenarios or key risk indicators that fall outside your risk appetite with a view to reject, accept or control.

  • Track deviations from the risk appetite as part of monthly MI

Get in Contact

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at

AI and FinTech: An intelligent choice or artificial hype?

The FFE and sponsor, the Regulatory DataCorp (RDC), have just released the FFE’s latest white paper on FinTechs’ use of Artificial Intelligence (AI).

In a survey of 18 members, the FFE found that 61% are currently either in the process of developing in house AI solutions or reviewing third party options for their fraud or AML programmes. 33% of surveyed FinTechs currently employ AI solutions developed in-house against 11% that use third party AI solutions.

Cost and data deficiencies, followed by human resources, were reported as the main barriers in implementing AI solutions by FinTechs. The lack of sufficient knowledge or understanding also appeared prominently as one of the top risks highlighted by respondents. 

FinTechs, who had managed to overcome the barriers and challenges, reported a number of benefits including better accuracy and fewer false positives, faster turnaround on onboarding and some improvements in fraud detection.

In the meantime, research and feedback from members suggests that the best approach to introducing AI tools appears to be to deploy them alongside traditional systems: monitor and audit both old and new tools until you are satisfied, and then you are able to rely on the new tool.

Clearly as outlined there are risks and challenges with AI, but anything that enhances the ability for the sector to combat financial crime should be explored for the overall positive benefits it will bring to the companies involved and the people it affects. As highlighted by the survey results, FinTechs are not only well placed but are actively seeking opportunities to integrate AI to enhance their AML framework.

Fintrail AI paper copy-01.png

CTF Strategies: Combating Common Terrorist Financing Misconceptions

At the end of last year, the US Department of Treasury released its National Terrorist Financing Risk Assessment. Despite the multiple attacks perpetrated by domestic extremists in 2018 - including the Pittsburgh synagogue shooting, Jeffersontown Kroger shooting and US mail bombing attempts in October alone - the assessment made no mention of domestic or far-right-wing extremism. 

Another misconception? When thinking of terrorism in Europe, we often break it down between far-right-wing and Islamist groups, when in actuality, according to the just published EU Terrorism Situation and Trend Report (TE-SAT), nearly two-thirds of all attempted or completed terrorist attacks were instigated by separatist groups. Without an understanding of the nature of terrorist financing, it becomes harder for financial institutions to know what to look for and to implement impactful counter-terrorist financing controls.

These examples only showcase some of the assumptions that can negatively affect our ability to prevent and detect funds travelling to terrorist groups. Based on our experience in the FinTech space, we’ve broken down a few more common terrorist financing misconceptions:  

Misconception 1: Terrorist financing exists in a silo.

Terrorist financing is most simply thought of as an activity pursued by someone with strong ideological affiliations to a terrorist group or cause. While this is certainly true in some cases, only thinking about direct and ideologically driven terrorist financing has the danger of concealing the wider nexus between terrorist financing and other types of financial crime. While the use of drug trafficking to fund terrorist activity has been well-recorded, other intersections between terrorist financing and criminal activity can be overlooked. For instance, one source of funding for the Charlie Hebdo attacks included fraudsters selling counterfeit goods. And yet terrorist financing goes beyond just the perpetrators of financial crime. Given that terrorist financing is about the destination of the funds, those seeking to purchase illegal goods, whether counterfeits, weapons or drugs, could also engage in terrorist financing unwittingly, being unaware of where the funds for their purchase end up. 

The terrorist financing network expands beyond the sale of illegal goods. A convicted ISIS fundraiser had tried to raise funds through financial aid fraud, and foreign terrorist fighters have been known to engage in bank and credit card fraud to help fund their movement. The mass enslavement of the Yazidi by ISIS is the most prominent example of how terrorist groups have used human trafficking to raise funds, though other groups such as Boko Haram and al-Shabaab have engaged in the practice as well. In addition to the direct sale of individuals, terrorist groups like ISIS have also been known to use online and social media advertising in the trafficking of persons or in ransoming them back to their families and have also been reported to engage in organ trafficking. 

To best combat terrorist financing, our approach to suspicious activity shouldn’t stop with our first instinct, as even cases of other types of financial crime may have links to terrorism, and individuals with links to criminal activity may be indirectly engaging in terrorist financing both wittingly and unwittingly. 

Misconception 2: We’re looking for donations from ideological sympathisers.

While donations are certainly an important and desirable revenue stream if you are a terrorist group, and recently active networks such as the Liberation Tigers of Tamil Eelam relied on complicated networks of genuine, coerced and unwitting donors to fund nearly their entire operations, these sorts of donations don’t actually represent that much of the entire terrorist financing picture at present. Interpol in 2018 reported that only 3% of all terrorist financing was generated through overseas donations. While the latest TE-SAT still underlines the threats related to international donations, and while groups are constantly evolving in their use of revenue streams, focusing too heavily on international donations could lead us to ignore more prominent revenue streams.

So where should we be looking instead? Sources of terrorist financing are numerous and will vary greatly between groups and actors, and so what your high risk indicators are will depend greatly on your product offering and location. Though entities such as charities are often considered as a part of CTF efforts, limited companies receive less attention, despite their evidence of their usage in terrorist financing schemes. An area that certainly warrants more attention is environmental crime, and Interpol’s data indicates that 38% of all terrorist financing is generated through activities like illegal logging, wildlife trade, mining and fishing. Crafting more tailored monitoring rules for transactions with links to high-risk industries in high-risk jurisdictions for environmental crime and terrorism would help to detect this sort of activity.

Misconception 3: Geography is the most important factor.

During our work as anti-financial crime consultants, we have spoken to several Heads of Financial Crime who express frustration when a suspected terrorist financing case is risen to them primarily because of the customer’s nationality or geographic location, with no other specific evidence indicating that they may be linked to terrorism. Given the misconceptions we’ve already explored, there are serious dangers with jumping to the conclusion of terrorist financing. Terrorist financing is already difficult to spot, especially given that most recent attacks only require less than $10,000 in funds to complete. In fact, the 5 terrorist attacks that took place in the UK in 2017 in total cost just £5,000 to execute. Overly favouring geographic factors risks underestimating the presence of domestic terrorism. The intersections with other crime types and the more complicated channels where terrorist financing can manifest only add to the need to demonstrate a suspicion of terrorist financing more substantively.

What’s the risk though? While it’s important to be safe rather than sorry when it comes to terrorist financing, in reality, a too simplistic approach could lead to vulnerable individuals being de-risked. For example, individuals who do aim to donate to a terrorist cause tend to use the path of least resistance in moving the funds from their country of origin to the conflict zone. Unfortunately, these overlap heavily with channels used by genuine actors seeking to remit funds home or donate to overseas causes. Without additional evidence linking the customer to terrorism, you could end up unwittingly engaging in profiling in a way that is unfair to customers and inefficient in your anti-financial crime efforts. One positive step we’ve seen employed in the FinTech sector is a more holistic approach to customer risk, which takes into account a variety of evolving data points--from IP address to device ID to transaction patterns and speeds--which help paint a more nuanced picture of a customer, that isn’t overly reliant on nationality or country of residence. The best approach to identifying terrorist financing is one driven by a mix of customer data factors, suspicious transactional patterns and references and open source intelligence in order to pin down the nature of your suspicion. Even a quick Google or social media search can go a long way.

Final Takeaways

Ultimately we need to widen our understanding of the nuances and complexities of terrorist financing and challenge the industry to consider cases beyond the more stereotypical patterns. With that said, there are a few key takeaways that we should all consider when framing our approach to terrorist financing:

  1. Dynamic Approach to Terrorist Financing - Broaden your understanding of how terrorist financing may manifest, and see beyond just geographic red flags. We need more than that to form a suspicion of terrorist financing, and this approach doesn’t reflect the reality of the risks we currently face. Taking a dynamic approach to customer risk as it extends to terrorist financing risk is critical, and utilising open source intelligence can contribute to this.

  2. Data and Knowledge Sharing - Having a strong relationship with law enforcement not only will help when it comes to active cases, but can also help you learn about new and emerging typologies and gain actionable information that you can build into your transaction monitoring tools. Improved data and typology sharing not only through public-private partnerships, but also through private-private partnerships can help facilitate greater overall resilience against terrorist financing threats and help everyone stay on top of a landscape that is rapidly changing.

  3. Training and Awareness - CTF training, whether by internal or external parties, needs to be consistently evolving and reflective of the major trends we see in funding patterns and that you see in your day to day operations. Training should be coordinated by terrorist group or actor type, as all groups favour different financing structures, which change depending on their success and failures. CTF training isn’t just about procedure, but about the wider geopolitical context shaping terrorism at home and overseas.

FINTRAIL believes that all companies, should have the opportunity to thrive, free from the threat of financial crime and in doing so reduces the opportunities for exploitation of the most vulnerable.

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at

The Vulnerable: Targets and Tools of Financial Crime

What FinTechs can do to fight financial crime & exclusion

Lured by the opportunity for employment, housing and travel, a Latvian Organised Crime Group facilitated the movement of people from Latvia to the UK. For those hoping to create a better life for their families, these were immediately crushed as once they arrived in the UK, they were told they were "in debt" to the gang. The gang forced the victims to open bank accounts in their own names, then hand over their bank accounts and bank cards to the group before being sent to work in various locations across the UK. The gang retained control over their earnings and any refusal to cooperate was met with threats of violence and assault (1). Unfortunately this is not an isolated incident with a global figure of 40.3 million vulnerable individuals estimated to be victims of modern slavery (2).

In the UK, serious and organised crime is the most deadly national security threat (3). It affects more UK citizens, more than any other national security threat and leads to more deaths in the UK each year than all other national security threats combined. Organised crime groups sexually exploit children and ruthlessly target the most vulnerable, ruining lives and blighting communities. The predicate offences that drive financial crime often generate illicit funds off the back of the hopes and fears of desperate individuals. Crimes like the one highlighted cost us in the UK at least £37 billion each year (4). Criminals are able to reap the benefits of their crimes and to fund lavish lifestyles while their victims are left to suffer the consequences.

The rise of new technology and financial innovation, often leads criminals to seek creative ways to exploit evolving financial developments to their advantage. This makes FinTechs and their customers a particular focus for the criminals, a problem which is heightened further when one considers that two of the largest under-banked groups, the young and migrant communities, are at a higher risk of vulnerability.

What can we do?

One of the simplest ways to identify and understand a customers potential vulnerability is through ‘face-to-face’ interaction. This is much harder for FinTechs to do; most interactions involve online onboarding, with little dialogue apart from email and instant messaging between the client and a customer service representative. Indeed, much of this kind of interaction is increasingly automated, which is part of the inherent attraction of the sector.

The best time for FinTechs to identify and protect a vulnerable individual is during the onboarding process, through Identification and Verification (IDV). One of the most concerning situations we have come across through our involvement with the FinTech FinCrime Exchange (FFE) have been reports of FinTech client applicants providing IDV selfies or undergoing an onboarding interview online who appear to be in the presence or possibly even under the control of another individual. Instances such as these need to be taken very seriously, and simply rejecting the new customer is not enough. Where suspicious activity of any kind is in evidence, FinTechs have a clear moral responsibility to report it (5).

FINTRAIL believes that all companies, should have the opportunity to thrive, free from the threat of financial crime and in doing so reduces the opportunities for exploitation of the most vulnerable.

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at



(2) International Labour Organization and Walk Free Foundation - Global Estimates of Modern Slavery - 2017

(3) Home Office - Serious and Organised Crime Strategy- November 2018

(4) Home Office - Serious and Organised Crime Strategy- November 2018

(5) NCA - Guidance on reporting routes relating to vulnerable persons - November 2016

Why do you work in Financial Crime Compliance?

Payal Patel, who leads our new office in Asia, tells us why she works in Financial Crime Compliance and how she initially found her way into the field.

Payal combines her legal education and extensive compliance experience to build 'best-in-class' anti-financial crime programmes for clients and is focused on enabling innovative business whilst balancing risk and regulatory demands. She brings over 14 years of experience in financial services across multiple regions, focusing recently on FinTech and crypto. She has led engagements with regulators on new business models and has worked with a wide range of organisations globally on international best practices.

‘Why do you work in Financial Crime Compliance...isn’t it boring?’

I’ve lost count of the number of times I’ve been asked this question in some form.

Truth be told, I never intended on pursuing a career in Financial Crime Compliance. After completing my LLB and my legal training, it became very clear that my legal career wasn’t going to be like an episode of Suits, and I decided to follow many of my friends into the world of banking. During my undergraduate degree, we had talks from practically every bank selling us the pre global financial crisis dream of trading and earning pots of money. But I wasn’t sure that world was for me. I hadn’t heard of compliance until a recruiter called me about an entry level role that preferred people from a legal background. I was particularly intrigued as soon as she started talking about fighting financial crime. As a further plus. the team seemed nice, and the work was new, so I took the opportunity.

14 years later, and despite many opportunities to move into other areas, I’ve chosen to continue working in this space - and here’s why.

It impacts us all

People often forget the social impact of money laundering and terrorist financing - it costs us all. Serious crime, from drugs and cybercrime to people trafficking, has huge negative  impacts on society and the people affected, as well as costing the economy billions each year. The trickle down effect of this is that taxes need to be raised to compensate not only for the financial loss but also the additional resource required to police the activity going forward.  The price of consumer services increase as businesses seek to cover the costs associated with the higher taxes. Incidents of corruption, violent crimes and job losses go up and all of this can ultimately destabilise companies, industries and even developing nations. For the victims of crimes enabled by laundered money, the effects can be devastating and lifelong, including great personal and family loss. I see my role as preventing the criminal activity at a crucial point – where criminals seek to convert and clean their money by concealing it within the financial system, essentially allowing their crime to pay off.

Business enabling

Further, I strongly believe that compliance done right is business enabling. Throughout my career, I have actively sought to work in partnership with Business Heads to fully understand their business and the bespoke nature of the financial crime risk it introduces, seeking ways to illuminate this, and show how combatting it will give the business not only the stability it needs to grow, but how fighting financial crime actively builds trust among its customers. This collaborative approach has allowed me to creatively think of new and innovative ways to manage risk whilst also allowing me to be an integral part of the product / service roll out.

The cost of getting it wrong

From an organisation’s perspective the cost of getting compliance wrong can also be devastating, not only financially but also reputationally. Whilst the value add of a robust compliance programme cannot be tagged directly to sales or revenue, the fines imposed for failures can be massive, and licenses revoked or not granted at all.

As I now turn my focus to the world of FinTech, I am more passionate than ever about my role. As technology evolves, so does criminal activity. I want to make crime, corruption and terrorism harder for perpetrators. I want to protect the reputation of the organisations I work for and help them establish and maintain relationships with legitimate customers. This seems far from boring to me.

The Money Mule Trap

by Ishima Roman (Analyst, FINTRAIL)

In mid-February 2019, the UK House of Commons Treasury Select Committee heard from UK financial services providers about the problem of ‘money mules,’ reported to be on an upwards trajectory(1). The term ‘money mule’ is very familiar to financial crime risk professionals, denoting an individual used by criminals, knowingly or not, to transport illegal funds. The term is of course fraught with value judgements; being ‘mules’, they are perceived at best naive and unwitting accomplices, and at worst willing and able conspirators. However, as those giving evidence noted, ‘mules’ although enabling financial crime, can often be victims too.

Money mules can present challenges for FinTechs, especially those offering account based services and payments, because their customer base often draws on groups targeted to become mules: the young, immigrants, the economically precarious. This post explores the mechanics and consequences of money muling, and asks what can be done to mitigate the problem. In part, we believe that the answer is robust financial crime risk management; but FinTechs can also play an important educational role in preventing the vulnerable falling into the ‘mule’ trap.

What is ‘Money Muling’?

Europol, the European Union’s (EU) law enforcement agency, defines money mules as ‘people who, often without knowing it, have been recruited as money laundering intermediaries for criminals and criminal organisations(2).’ The term is sometimes used interchangeably with ‘smurfers,’ although this latter term more precisely refers to those who deposit many small batches of illicit funds to avoid a threshold of regulatory interest.

The process of money muling usually comprises:

  1. The recruitment of the mule by criminal sources;

  2. The mule receives funds into their account;

  3. The mule withdraws the funds; or

  4. The mule wires the funds to another account(s) at the direction or request of criminals. This often includes cross-border transactions.

  5. The mule receives a ‘commission’, either separately or as a cut of the funds sent to their account.

There are of course variations upon this modus operandi, and criminals have also been known to ask the mule to transfer electronically the funds to another account, without the withdrawal at stage (C). Like any money laundering typology, muling will evolve with the development of technology and institutional requirements.

Becoming a Money Mule

As noted above, criminals are often looking to target those who are in a financially vulnerable position, but can provide enough psychological ‘distance’ from criminality in the minds of financial services providers that they are less likely to generate interest. Criminals are known to use many avenues to attract or pressure individuals into money muling, but some of the most common include:

  • Speculative/vague job profiles or money-making ‘opportunities’, advertised online or in local or free papers. This can often be presented as lucrative ‘home working’ and increasingly as an opportunity in a FinTech itself, often using a meaningless job title such as ‘Financial Transactions Analyst(3)’;

  • Direct approaches over social media, such as Facebook and Instagram, and communications apps such as WhatsApp;

  • Direct approaches in person.

Criminals will often pose as reputable organisations, in order to convince the target that what they are doing or proposing is legitimate and legal. Some may present themselves as representatives of an overseas firm whose details are difficult to verify. Other criminal gangs use techniques such as impersonation and role-playing, presenting themselves as an authority figure, such as police officer, government official or soldier, seeking help in some awkward personal circumstance, often requiring the transfer of funds overseas.

money mules -01.png

How Money Muling Works(4)

Vulnerability to Muling

The unemployed and new immigrants from developing to developed countries have been major targets for muling operations for some time; financial desperation provides a motivation in both cases, and in the second, there is likely to be a lack of cultural understanding that criminals can exploit. However, there is an increasing trend in Europe towards the exploitation of young people and students, driven by their high levels of aspiration and low incomes, perceived naïveté, and accessibility online.  According to a report in April 2018 from CIFAS, the UK-based not-for-profit fraud prevention group, 2017 saw:

  • An 27% increase in the number of 14-24 year olds being used as money mules. Many of these young people were students, promised substantial payments for little effort.

  • An 11% rise in the number of accounts believed to have been used by money mules (32,000 plus in total)(5).

In the UK, young people are also increasingly becoming the targets of identity fraud, leading to the misuse of their accounts by money launderers. At the Treasury Select Committee hearing, representatives from Santander noted that the young were particularly vulnerable to having their accounts being used for muling without their knowledge because so many of them take a lax approach to data security; according to Santander’s research, 85% of 18- to 25-year-olds had shared financial information online(6).

The Consequences of Muling

The consequences of becoming a money mule can be harsh, even if the mules are not aware of the ultimate rationale behind the transfers. Regardless of their level of knowledge, they will have played a crucial role in a financial crime, and as such are liable to criminal charges in most developed jurisdictions. In the UK, for instance, muling can lead to a prison sentence of up to fourteen years; in June 2018, the UK group Financial Fraud Action reported on a case of a 26 year old man sentenced by a London court to a year in prison for two mule transactions that totalled at £28,000(7).

Even if criminal charges don’t arise, there is still the risk of long-term financial exclusion and limitations on career prospects. In April 2018, the BBC reported on the case of an anonymous teenage girl, ‘Holly’, who had been targeted by online mule recruiters, or ‘Fraud Boys’ as they are known, on Instagram and Snapchat, but had been caught out by bank staff when depositing a large amount of cash into her account. According to the report, Holly has struggled to get a bank account since, and has had to ask her employers for payment by cheque, which can only be cashed - at substantial cost - in payday loan shops(8).

The Risk to FinTechs

Money mules are a problem for all financial services providers,. Research by Europol and Eurojust in 2016 suggests that 90% of money-mule transactions were linked to cybercrime. This included phishing and malware attacks, but also online shopping/e-commerce fraud and payment card fraud, typologies experienced by certain types of FinTech products largely due to the nature of their customer base(9):

Young people and students are attracted to products designed specifically to appeal to their needs, many FinTech products are seeing significant traction amongst this demographic. Other groups such as new immigrants or those seeking access to financial services might also be attracted to using online services which do not require lengthy verbal interactions with in-branch bank staff and offer products that are designed to address the imbalance of financial exclusion.

Criminals are aware of these developments, and it’s possible that they will focus increasingly on the recruitment of FinTech customers, particularly as other routes, via traditional institutions are closed off for them.  This highlights the increasing need for close collaboration and joint working between financial institutions of all types to combat this type of crime.

Detecting Mules

The first consideration is awareness of the issue, and factoring it into your risk assessment and appetite. If your firm is focused on building a client base in the vulnerable demographics, then you need to make sure you explicitly recognise the risks and have the right controls to manage the nuances.

Every firm and product is different, and there is no generic approach to this, but it is worth recognising that it is difficult to identify all mules at onboarding, especially as some will onboard legitimately, being recruited as mule later (if you’re offering a product aimed directly at improving financial inclusion for example). This can be made harder if ‘at risk’ groups are part of your target customer segments. However, gaining a thorough understanding of the client during the Know-Your-Customer (KYC) phase and building that customer profiling in to a tuned customer risk assessment is a key to detecting problems later on. Because it is in the context of their expected behaviours that we judge what is unusual.

Unlike legacy banks, FinTechs are not going to catch mules out ‘in branch,’ as happened to ‘Holly’, mentioned above. Transactions take place online, so it’s important to have monitoring tools in place that can alert you to deviations in normal behaviour, along with an appropriately trained team to investigate those alerts and report them through a Suspicious Activity Report (SAR) if necessary.

Utilising available data to identify and robustly investigate ‘at-risk’ accounts is a key control activity. Mule accounts are sometimes maintained through linked life-style payments to add an air of legitimacy so investigating account connections and leveraging data points such as common addresses (and others) can be a powerful way to proactively identify accounts for further review.

Additionally, building a suitable greylist or using industry databases such as CIFAS (or others) can provide a mechanism of detecting suspicious profiles at onboarding. Research suggests that accounts used during the later phases of mule activity in a network are more likely to be used by criminals more than once, presenting an opportunity to detect them via robust data sharing and blacklisting.

Increase Education and Prevent Mules

Prevention is often better than a cure so an important additional approach is to think about how FinTechs can help prevent the problem in the first instance. Reducing the pool of potential mules is a more cost effective ‘up-stream’ solution than tackling the effects of their activities. It also provides an opportunity for anti-financial crime professional to add something back to the community with clear positive social impact.

FinTechs have a unique advantage in the way they interact with their customer base and can play an important role in educating particularly vulnerable clients - especially young people - through explicit guidance during onboarding and throughout the customer lifecycle. Companies can engage in and support anti-muling campaigns, such as the EU’s European Money Mule Action (EMMA) imitative, or the ‘Don’t be Fooled’ campaign by the UK groups CIFAS and Financial Fraud Action (FFA)(10).

The young are especially in need guidance on what is ‘normal’ in the financial space, and arguably all financial providers have a duty of care in this regard. It does not take much to deliver simple key messages that reduce the risk to themselves and their clients: there is no legitimate reason to allow someone else to move their money via your account, however convincing they might be. There a three simple pieces of guidance FinTechs can give to their customers:

  • If you get offered a job or income, research any potential employer

  • Don’t respond to adverts offering large sums of money, for minimal input

  • Don’t allow anyone to access your account or use you card/app

  • And if it sounds too good to be true - it is. Walk away or ignore them.

Get in Contact

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at











Risk Assessment: Back to Basics

By Meredith Beeston (FINTRAIL Solutions) and Allison Spagnolo (FINTRAIL Solutions).

Adopting a risk-based approach is the foundation of best-in-class anti-financial crime practice. Your anti-financial crime (“AFC”) risk assessment should be one of the cornerstones of that practice.

While financial crime risk professionals are familiar with the AFC risk assessment, also known as the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) risk assessment in the U.S., it can be easy to underestimate its true value in the risk management framework. Risk assessments often feel like a chore or little more than a check-the-box exercise to please your regulator. The AFC risk assessment, however, is one of the most powerful tools you have to reduce your exposure to financial criminals and should be designed to grow and evolve to match any new vulnerabilities. A properly-executed AFC risk assessment will close gaps in your compliance program and identify the appropriate policies, procedures and controls that should be implemented to protect your firm and your customers. To help you design a risk assessment of your own, we’ve gone “back to basics” and drawn on our experience with FinTechs to unpack the fundamentals of a modern and effective risk assessment . This post will explore features common to all AFC risk assessments and offer practical advice about how to design one for your company.

What is an AFC Risk Assessment?

In most jurisdictions, AFC risk assessments are indeed a regulatory requirement. The U.S. Bank Secrecy Act (“BSA”), the EU’s 4th Anti-Money Laundering Directive (“4MLD”), and the Financial Action Task Force (“FATF”) all require periodic internal risk assessments. Consider, though, that this particular regulatory requirement can also be an opportunity to meaningfully guide your entire AFC framework and not just a task to complete to avoid regulatory displeasure.

AFC risk assessments also serve as:

  • A map of vulnerabilities: It is important to understand the ways in which a criminal might seek to misuse your product. It is much better to proactively identify and address potential vulnerabilities instead of discovering them as part of a “post-mortem.”

  • A resource plan. Once you know where your vulnerabilities lie, you can consider the controls you need to tackle them, giving you the opportunity to better strategize how to divide up your company’s finite resources. For instance, which RegTech products are most worth the investment? What skills do you need in your next AML analyst? The answers to these questions will be resolved in the risk assessment.

  • A development strategy. In the FinTech sector, growth and innovation are a daily feature of the business. Your AFC risk assessment can and should guide these efforts - helping you select which jurisdictions are best for expansion, which product features offer the most potential with the least risk, and which customer segments to market to next.

  • A dialogue. Much like your company itself, your AFC risk assessment has to evolve. It should change to reflect insights and feedback from your senior management, auditors, consultants, banking partners and regulators. Each risk assessment - and its results - offers an opportunity to dialogue with relevant stakeholders about the future of the AFC risk assessment, resourcing and compliance program.

How do I Create an AFC Risk Assessment?

At their core, AFC risk assessments can be summarized in one essential formula:


Let’s break down each of these factors in a bit more detail.

Inherent Risk

Inherent risks are the financial crime risks you face before you apply any of your existing (or if you’re just starting off, planned) AML controls. At a high level, your inherent risks generally fall into three categories:

  • Who your customers are

  • What geographies you serve

  • Your unique product and delivery features

Then, you will need to develop criteria or questions about the specific financial crime risks your company and customers are exposed to in each area. While it is important to initially consider the broad categories of financial crime risk (e.g., money laundering, terrorist financing, and fraud), you will likely want to generate more granular questions. For instance, if you offer a prepaid card targeting students, you will want to specifically address the risk of money mule activity occurring on your platform. In another example, if you offer a direct debit service, you will want to consider how vulnerable your product is to transaction laundering.

You should be able to analyze the data you gather across your company. While many FinTechs we deal with have a single office or product, over time, your approach to gathering data to establish inherent risk will need to evolve. For instance, for a FinTech with branches in Europe, the United States and Asia, instead of asking, “Are you aware of any high risk or medium-high risk-rated customers in a branch’s customer population?,”  the risk assessment should ask, “Provide the number of high-risk customers in each branch.”

Where appropriate and where the information is available, the risk assessment should also seek volumes (i.e. with respect to transaction data and SAR data). This will help to accurately reflect financial crime exposure.

Based on the responses in the inherent risk portion of the risk assessment, an inherent risk score is generated. It is typically along the “Low,” “Medium,” and “High” spectrum. There is no one-size-fits-all calculation of the inherent risk score, and some institutions will develop simple scoring while others will create complex weighting systems. The key is that your methodology is clearly explained and can be replicated when you update your risk assessment.

Control Effectiveness

Control effectiveness refers to the capacity of the specific processes and systems you have in place to mitigate each identified risk. As with inherent risk, granularity is important here. The control effectiveness portion of the risk assessment should be tailored, so that each relevant control is assessed against the corresponding risk, and impartial, so that controls are accurately represented in their effectiveness. For instance, if the control effectiveness topic is “Payment Alert Investigations” and the inherent risk is related to the processing of a sanctioned payment, you may want to consider: “Do the procedures covering alert handling address what documentation should be collected to support the investigation of sanctions screening payment alerts?”

As with inherent risk, you want to allow for as much impartiality as possible in assessing control effectiveness, and to rely on clear data when it is available (such as false positive rates, rates of false IDs that pass KYC, etc.).

It is important to have an understanding as to whether each control effectiveness topic has meaningfully addressed each inherent risk, both precisely and with a wider understanding of your overall control landscape. If you have multiple products or branches, you may want to be able to draw comparisons across your company. Like with inherent risk, there is no one way to measure control effectiveness; the key is that your methodology is clear, objective and justifiable.

Residual Risk

Residual risk is the risk that remains once all your controls are in place. In other words, it is what you are left with after identifying inherent risk and applying your mitigating control effectiveness. It is unlikely that residual risk will be “Low” across the board, but that is normal and expected. Your residual risk score will help shape the broader financial crime risk appetite of your business. Knowing this risk level gives you the opportunity to consider issues such as whether your company is comfortable with a “Medium” residual sanctions risk when expanding into certain jurisdictions.

Case Study

AFC risk assessments are designed to be complex and comprehensive, so it is not possible to provide an in-depth breakdown of an example here. However, even through the brief case study below, you can see why completing an AFC risk assessment provides a clear benefit to a FinTech:


A FinTech planning to offer individuals an app-based foreign exchange service, loaded through debit cards and bank transfers, decides to conduct an AFC risk assessment prior to going live with its pilot.

Risks and Vulnerabilities

The FinTech discovers a range of inherent risks to which it is exposed, with particularly alarming scores linked to potential sanctions evasion, attempted payments to sanctioned individuals or companies, financing acts of international terrorism through purported charitable donations, and money laundering connected to narcotics or human trafficking.

Managing Risks

The FinTech uses the inherent risk analysis to shape its controls in order to obtain an acceptable level of residual risk. The controls are designed to go beyond comprehensive monitoring and screening and robust KYC and adverse media checks. The company also limits the geographic scope of its product to non-sanctioned countries with lower levels of money laundering/terrorist financing risk, and designs its expansion plan so that geographic risk is added only incrementally. This increases confidence in the product, which allows it to be signed off by all relevant stakeholders.

Things to Remember

Here are a few key lessons to take away:

  1. AFC risk assessments are not “out of the box.” They should reflect the nature, size and scale of your business. If your business is just starting up, you can start with a simple risk assessment!

  2. AFC risk assessments should make sense. There is no need for over-complicating the questions or the scoring. You want to be able to communicate it easily across your company.

  3. AFC risk assessments evolve. While this is certainly true as it relates to your business growth, it is likewise true in relation to the evolving typologies that criminals try. If you learn about an emerging risk from a reliable source, consider adding it to your next risk assessment.

  4. AFC risk assessments do not result in perfect scores. You will never have zero risks. Rather, it is more important to be aware of the risk levels you do have and develop a comfortable risk appetite in response.

  5. AFC risk assessments are all about the details. Be sure the risk assessment is as useful to you as possible, keeping in mind all the ways it can add value beyond a simple regulatory requirement.

Help and Resources

If you have any other questions related to your AFC risk assessment or how to execute it, do not hesitate to reach out to FINTRAIL Solutions in the U.S. or FINTRAIL in the UK. If you are interested in further improving your risk assessment, here are a few key resources to consider:

  • The Wolfsberg FAQs on Risk Assessments: These Frequently Asked Questions are in-depth responses to common risk assessment inquiries. Remember, though, the risk assessment format and methodology that will work best for you will depend on your company’s unique characteristics (e.g., size, scale, and overall offering).

A Modern Curse - Fentanyl and FinCrime

Matthew Redhead (Senior Associate, FINTRAIL) & Krista Tongring (Managing Director, Guidepost)

Matthew Redhead is a financial crime risk and intelligence specialist, who has undertaken a range of senior operational, change management and leadership roles in financial services, consultancy and government. He works with FinTechs and challengers to build responsive and smart compliance frameworks that encourage innovation whilst minimising risk. 

Krista Tongring oversees a variety of compliance issues and investigations for clients including AML, trade compliance and anti-corruption matters. Previously, she had an accomplished career at the U.S. Department of Justice having most recently served as the Acting Section Chief at the Drug Enforcement Administration Office of Compliance. She led policy discussions and developed strategies to implement new and revised policies. She also worked to establish a more efficient policy review process. Ms. Tongring spent a significant portion of her career as a federal prosecutor where she investigated and prosecuted complex criminal matters, including racketeering, money laundering, abusive trust and other tax matters, international organized crime, criminal asset forfeiture, and violations of the Bank Secrecy Act.

As close partners of FINTRAIL Solutions are aware, we have been concerned about the impact of fentanyl - a powerful and highly addictive opioid used legally for the relief of extreme pain, but also produced and sold illegally - since early last year. The illegal use of the drug is at epidemic proportions in North America, and based on Canadian government warnings, we highlighted to clients and collaborators the potential financial crime risks that the burgeoning trade in the drug posed directly to FinTechs and their customers. 

As professionals in risk management, it is easy to look at issues like fentanyl and treat them as technical problems alone: risks to be identified and mitigate. However, the fentanyl epidemic highlights the underlying human tragedies that often drive the financial crime we seek to tackle. Overdoses of illegal fentanyl are reported to have killed the singers Prince and Tom Petty,[1] while the US Centers for Disease Control and Prevention (CDC) reported in December 2018 that fentanyl is now one of the main drugs involved in overdose deaths across the US.[2]

 This blog post is the first in a series which will look at the social causes and contexts of financial crime. The aim is to look at the problem in the round - its character, causes and impact - to help remind us why it is not only important to fight the financial crime the problem engenders, but also consider the reality for people who are caught up in these illegal trades - the mules, the users and the small time dealers, who, in truth, are victims too.


The Fentanyl Problem

Fentanyl is an opioid: a category of drug that suppresses feelings of pain in the brain, whilst also engendering states of relief and relaxation. In its legally manufactured form, it is usually prescribed for extreme, chronic pain, and is rated as being up to 100 times stronger than a sister opioid, morphine. Legitimate fentanyl is usually taken as a patch, lozenge or injection, but care has to be taken, as there is a very real risk of overdose and death.[3] Fentanyl can also be illegally sourced, either through the theft and diversion of legitimate supplies, or the purchase of synthetically produced illegal variations, usually coming as a white powder that can be ‘cooked’ and injected, snorted or ingested, either on its own, or in combination with other illegal drugs, especially cocaine and heroin.[4]

 Even in the legal variety of the drug is extremely dangerous, and is classified in the top category of most countries’ controlled substance schedules.[5] Indeed, the drug is so powerful that in August 2018 it was used in Nebraska to execute Carey Dean Moore by lethal injection,[6] and has allegedly been banned on some drug supplier websites on the darknet, according to a 2018 report by the UK paper The Guardian.[7]


The Market

 There is little doubt that the current epicentre of the fentanyl epidemic is North America. In the US, the drug has had a devastating effect; in a recently published report from December 2018, the US Centers for Disease Control and Prevention (CDC) stated that, as of 2016, fentanyl is now linked to 29 percent of all overdose deaths.[8] Overall, more US citizens were killed by all opioids - of which fentanyl is most prominent - than were killed by guns or car accidents.[9] This CDC chart of opioid related deaths in the US gives some indication of the dramatic rise of the problem, and fentanyl’s role within it.

Figure 1  - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC) [10]

Figure 1 - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC)[10]

In Canada, the problem is equally significant. In June 2018, the Canadian authorities reported that over 4,000 Canadians had died from opioid overdoses in 2017, a new record, of which 72% were fentanyl or pseudo-fentanyl analogs.[11] Outside of North America, there has also been a reported rise in deaths by fentanyl in Australia,[12] New Zealand[13] and the UK[14] over recent years, although rates do not yet appear to have reached US levels. The EU Monitoring Centre for Drugs and Drug Addiction states on its website that fentanyl is a more marginal problem in the EU, affecting primarily Estonia, Germany, Belgium and Austria. However, EU statistics show that opioids as a class are becoming a greater problem in Ireland, France, Italy and Portugal.[15]


The Mechanics of the US Trade

The DEA and Department of Homeland Security (DHS) believe that the primary source of the illicit versions of the drug is China - one of the most popular terms for a range of fentanyl analogs is in fact ‘China White.’ Laboratories run by Chinese organised crime gangs produce high volumes of fentanyl, which are then marketed to other transnational traffickers, including the Mexican cartels, who move the drugs into North America. Fentanyl flows across the Pacific to Canada and Mexico via mail order services and smuggling, where it is often mixed with other drugs, and then smuggled into the US via the north eastern and south eastern borders.[16] The drug often comes in a powdered form, or disguised as the tablet forms of legal pharmaceuticals, such as oxycodone and hydrocodone.[17] 

Fentanyl white paper_Map.png

The secondary source, and one of growing significance, is Mexico itself. In 2016, the DEA reported its suspicion that the Mexican cartels were ‘branching out’ into the production of fentanyl, using imported precursor chemicals from the US and China.[18] Over the last year this assessment has been confirmed by busts in Mexico, including one in December in the capital, that have revealed the existence of cartel-managed fentanyl labs.[19]

The mixture or ‘cutting’ of fentanyl with other drugs, such as cocaine or heroin, makes the combined hybrid drug even stronger and more addictive, and further help us understand why its market is so sustainable. First, selling fentanyl keeps the costs of the traffickers and pushers down, because a small amount, though dangerous and potentially toxic, is relatively easy to produce and ship, yet has extreme potency. Second, the potency of the drug, especially when combined with other narcotics, means that users become quickly and highly dependent, ensuring that the suppliers have a captive market. Some of the strongest markets for fentanyl are in US states that already have high rates of opioid addiction.  This is borne out by a DEA report indicating that many of the younger users of fentanyl turned to the drug once they could no longer obtain and/or afford illicit pharmaceutical opioids.[20]

The prospects of breaking this market in the short-term appear bleak. The problem has become so great that the US President, Donald Trump, has pressured his Chinese counterpart, Xi Jinping, to take action against the Asian end of the trade, most recently at the November/December 2018 G20 summit in Argentina. Although President Xi was supportive, it is likely to take some time before practical action occurs.[21] Moreover, recent Canadian requests to China for similar help have been less warmly met, largely because of ongoing disputes over the return of Chinese fugitives to Canada.[22] As long as the Canadian and Mexican gateways to the US remain open, the scourge of fentanyl in North America is likely to continue.


Fentanyl, FinCrime & FinTechs 

What role then for FinTechs?

 For the last five years, there has been media ‘hype’ about the roles that FinTech platforms might play in the purchase of illegal drugs. Payments providers have been put out of business because their platforms have allowed individuals to buy illegal items unimpeded. In 2013, for example, the US Department of Justice (DoJ) closed Liberty Reserve, a digital payment processor, for facilitating the sale of drugs and child pornography, while cryptocurrencies are of particular current concern. In June 2018 the US media reported a DoJ enforcement action named ‘Operation Dark Gold,’ to stop the darknet sales of drugs using Bitcoin and other cryptocurrencies. [23]

Our clients’ experience tends to be more prosaic than some of these more sensational media cases. As a recent FinTech FinCrime Exchange (FFE) survey of UK FinTechs demonstrated, most financial crime typologies experienced in the UK cryptocurrency sector were around varieties of customer fraud. Nonetheless, we still believe that FinTechs have a responsibility to take these issues seriously. There are potentially striking indicators that, in combination, should raise concern (see breakout box), and we would urge all FinTechs working in payments services, retail accounts, prepaid cards and crypto transmission and exchange providers to give them due attention in their financial crime investigations.

Fentanyl white paper_State count.png

●      Unusual Chinese transactions: Customers buying items from China, especially where this does not fit with the customer transaction profile or nature of businesses, along with multiple unconnected payments to a single individual in China;

●      Unusual health products: Firms offering apparently pharmaceutical or health products who demonstrate other unusual indicators such as those listed here;

●      High use of currency exchanges: Multiple payments from global currency and cryptocurrency exchanges, usually in small amounts; and

●      Tags and nicknames: Payments including nicknames such as Apache, China Girl and China Town, or precursor references such as NPP or ANPP.


For more details, contact FINTRAIL Solutions at


At the same time, the case of fentanyl drives home the need for FinTechs to take a longer term view too about the types of business they are doing. As regular readers of the FINTRAIL and FINTRAIL Solutions blogs will know, we recommend some basic prevention methods that include active risk assessment and defined risk appetite. We have found that its critical for FinTechs to take basic risk management seriously from the beginning - asking themselves questions about the vulnerabilities of their product and the risks that opens them up to. If you think your company is vulnerable, then take action. Get the basics right. Because it is in no one’s interest to facilitate the sale of a drug like fentanyl.


If you would like to know more about how FINTRAIL Solutions and how we can help you and our business better manage financial crime risks, please contact us at








[8], p.1


[10], p.4






[16], p.70


[18], p.65


[20], p.28




2018 and 2019

Fintrail visual identity v1_Mailchimp header 1819.png

As we head into 2019, here is a summary of 2018 in numbers.


We welcomed James and John-Paul into the FINTRAIL family.


John-Paul will be leading the FINTRAIL and FFE communities so that Fintechs can collaborate on best practices in financial crime risk management.

James Nurse BW.jpg

James joins us to provide industry expertise all of our projects across a wide range of subjects and specialisms.

We launched the FFE in the USA

As the FFE continues to grow and support its members in the UK and the Netherlands, we launched the FFE in the USA where we will be connecting the community to support the specific needs of American Fintechs.

We held our first FFE conference in London

Over 100 representatives from across the Fintech community spent a day discussing and sharing ideas on the theme of...

‘Disruptive Perspectives on Financial Crime’ 

Which was a huge success with over 100 Fintech experts meeting for a day of learning, sharing and networking.

Fintrail’s Gemma Rogers is Fighting Financial Crime for Fintech’s Sake

Fighting financial crime is TFT’s Wonder Woman this month, Gemma Rogers, CEO FINTRAIL. She speaks to Zoya Malik about using regulation in an innovative way to protect fintech startups from financial crime by looking at their risk appetites and implementing control measures to stay the course.

(Gemma Rogers, CEO FINTRAIL)

ZM: What is FINTRAIL’s objective?

GR: FINTRAIL’s objective is to work with our clients across the Fintech sector to ensure they meet regulatory expectations and can effectively manage financial crime risks. We do this by helping clients understand the financial crime and compliance risks they may face and then work with them to deploy proportionate and effective controls. I believe fintechs have an important role in society and present huge opportunities, but with that opportunity comes risk that illicit and bad actors may take advantage of the new technologies and products to further crime – we work with our clients to stop that from happening. fintechs and challenger banks are unencumbered by legacy systems, data and processes, so can have an advantage over mainstream banks, making it a really exciting area to work in for passionate anti-financial crime professionals.

ZM: How are you advising fintech clients?

GR: We are a consultancy offering expertise on anti-financial crime compliance controls to fintech companies. Our approach with our clients is based on four pillars, Build, Scale, Assure and Solve. In terms of Build we look at what financial crime risks a company may face and ensure they have the right controls to manage them. In terms of Scale, we look at how new products or expansion plans may impact a client and also how controls can and should be scaled as they grow, providing additional capacity and support where and when our clients need it. With reference to Assure, this pertains to more mature fintechs where they require a 3rd party such as ourselves to test their systems and controls and determine that procedures align with regulatory compliance. In terms of Solve, we may come in where a firm has had a bad audit report or may have incidents of internal fraud. We help investigate these issues and advise on how to prevent them recurring in the future.

ZM: What is critical for fintechs in terms of setting up crime and fraud prevention controls?

GR: So, one of the main elements we focus on with our clients is the risk assessment: what this entails is a fintech truly understanding what specific financial crime risks they are exposed to.  What they are then able to do is focus the controls and preventative measures they apply on the risks that are most significant or where they have most exposure. This enables the fintechs to take a proportionate, risk-based but yet customer-friendly approach to how they fight financial crime, which can evolve as they grow their product offerings and business models.  

We also think it is vital that the industry benefits from collective learning and works together to fight back against the financial criminals. That is why we set up the FinTech Fincrime Exchange (FFE), a free members’ forum where we discuss best practices for fintechs, as well as the various permutations, or typologies, of what exactly financial crime can look like. Sharing information of this sort also strengthens the Fintech community’s stance against financial crime, ensuring that this sector plays its part in the global fight against financial crime, something that we are really passionate about at FINTRAIL.  

ZM: How are you advising clients on crypto assets crime prevention?

GR: We are really excited to be working in the cryptocurrency space.  There is a lot written about cryptocurrencies and their utility in financial crime schemes, and while there are risks, there are effective ways to mitigate these, just as there are in other asset classes.  When it comes into force, the Fifth Anti-Money Laundering Directive (5AMLD) will bring EU crypto exchanges and custodial wallets under the scope of ‘obliged entities’ for AML purposes. I believe this, and other recent regulatory developments is a really encouraging step forward, bringing crypto-assets into the mainstream and that the (hopefully proportionate) regulation will drive wider adoption and increase trust across all parties. Regulators want to see companies building controls according to their risk profile and this is precisely what they will want to see crypto related companies do. We are excited to be working with firms who are not only developing hugely innovative products and solutions but also taking a proactive approach to their financial crime risk mitigation strategies.

ZM: What will be new in terms of financial crime regulations and FINTRAIL’s business in 2019?

GR: We have recently expanded our business to the USA so we can offer fintech clients on both sides of the Atlantic access to specialist support, especially as companies are looking to expand and scale internationally. We will also be rolling out our services to Asia, in the early part of 2019.

Next year, Brexit will likely have an interesting impact on the Fintech sector across the UK and wider EU.  As such, we anticipate that FINTRAIL’s activities next year will include some advisory work for clients who are looking at how Brexit may impact their business and the changes in financial crime risk and compliance that may bring.

In the EU we are also excitedly awaiting implementation of the 5AMLD, which is in my view a welcome and positive sign that regulators are aiming to keep pace with the rapid technology developments that we are seeing among fintech and more traditional banking players.

Finally, we are going to be continuing the roll-out of the FFE network across the global fintech hubs in US, Asia and Europe to further expand the network of fintech financial crime professionals who are taking the fight to the criminals.

ZM: What has led your career to financial crime prevention?

GR: Having studied Russian and German at university, I started my career in national security in the UK, before moving into banking and realising that there was a huge crossover between the analytical skills required in government, and the skills needed to fight financial crime; when organisations are taking an ever more proactive stance against financial crime, and the need to be on the front foot to predict criminals’ behaviour is paramount having the ability to examine large amounts of data and set those findings into context is crucial.  Also, being able to understand the level of threat that criminals and crime types pose to different organisations is crucial when building out proportionate controls, and a prior career in national security was incredibly useful in that regard.

ZM: Do you think there is a lack of women entering this part of the industry? If so, why? What can bring them into the industry?

GR: I think the field is levelling out in anti-financial, largely because it’s such an interesting area to work in.  Plus the opportunities for progression are great, particularly in the Fintech sector where companies are taking their responsibilities around anti-financial crime seriously and as such the subject is getting a good amount of board and senior management attention.  Of course, more can always be done to encourage women to take up this career path: the Fintech Fincrime Exchange – a specialist industry forum for Fintechs to share and collaborate on financial crime issues – is proud to have signed up to the FinTech Parity Pledge to ensure we continue to have parity in our speakers; we already have an almost 50/50 split between male and female speakers, but we’re keen to do our bit to encourage this and promote diversity in FinTech.

ZM: What are your personal goals?

GR: Firstly, to ensure my colleagues and I at FINTRAIL are achieving our full potential whether that’s through having the right opportunities or through constructive, mutual feedback, and secondly that the Fintech community is equipped with the right skills and knowledge to fight financial crime effectively and efficiently. Tha was the goal behind the Fintech Fincrime Exchange Conference, that took place on 27 November 2018 where we aimed to provide some insightful content that disrupts traditional thinking around how to manage financial crime risks, and offered some practical skills-based sessions to add value to the ways in which Fintechs investigate and analyse financial crime issues.

ZM: Any concluding thoughts?

GR: Most importantly, we are passionate about fighting financial crime and the hugely negative impact it can have on society, customers and companies.  We like to think we can have a positive impact through our work with the inspirational teams and clients we work with in the fintech sector. We won’t solve financial crime overnight but if we all work together we can start to make a difference, building trust with customers, stakeholders and regulators at the same time.

Originally published here:

Do You Want the Bad News…?

The FFE and sponsor, the Regulatory DataCorp (RDC), have just released the FFE’s latest white paper on FinTechs’ use of Adverse Media Screening (AMS) .

In a survey of 39 members, the FFE found that over 75% currently use AMS as part of their compliance framework. Members used AMS throughout the customer life cycle and identified using the tool in support of investigations and SAR filing to be most valuable. Members found it most impactful when applied in a proportionate way, tailored to their specific financial crime risks.

The survey identified some issues, however. Members continue to struggle with the generation of high volumes of false positives generated by AMS, and were looking for more clarity from regulators on when to deploy AMS. Indeed, almost two-thirds of FFE members surveyed supported making the use of AMS a regulatory requirement, partly for clarity, but also to kickstart the RegTech sector into improving the accuracy of AMS solutions. While it is currently not an explicit  requirement for regulators in the UK, US, or EU, recent findings from the FCA have suggested that when well-executed, it can mitigate financial crime risks. Further guidance of this kind would clearly help FinTechs.

In the meantime, research and feedback from members suggest that the best approach is likely to be a proportionate one. To gain the most value-add from AMS, FinTechs should therefore employ it on a risk-based approach to gather the information most relevant to their risk profile, while making sure their solutions are regularly reviewed to ensure they operate at the highest level. If used judiciously, bad news can be good news for FinTechs.


To download the full paper, click here.

Sextortion: The Underreported Predicate Offence

Cases of sextortion are on the rise; however, as this type of crime grows in prominence, its relation to financial crime remains under-explored.

In May 2018, the National Crime Agency warned that tens of thousands of Britons were being targeted by ‘sextortion’ gangs. Reported cases have increased three times since 2015, and in July 2018, reports of a new, related phishing scam began making their way into our newsfeeds.

Sextortion is not a legal term and is used to cover a broad range of criminal activities. Interpol offer one of the best definitions, classing it as ‘blackmail in which sexual information or images are used to extort favours and/or money from the victim.’

Despite growing awareness from both a law enforcement and potential victim perspective, little analysis has been done on the financial crime implications of sextortion, which are potentially significant.

To help shed light on the subject, we explore three models here--detailing how they operate and what money laundering red flags you should look for.

The Phishing Scam

Over the past couple months, law enforcement agencies from around the globe and across the UK have identified a new scam whereby perpetrators email victims alleging to have hacked into their webcam whilst they were watching pornographic content. The perpetrators request sums ranging from USD$200 to USD$8000 to be paid in Bitcoin and have allegedly made USD$500,000 in total off of the scam thus far. Other phishing scams linked to sextortion exist as well, meaning funds firms might have seen laundered  - and would normally attribute to classic phishing scams - could in fact potentially be proceeds from sextortion. The likelihood of this could increase with time as the success of recent sextortion-related phishing campaigns becomes publicised.

Financial Crime Implications

  • Cryptocurrency payments-- payments relating to sextortion cases may be requested in cryptocurrencies, so efforts should be made to cluster and risk rate bitcoin addresses, and this information could be communicated with FinTechs whose customers deal in cryptocurrencies or who directly facilitate cryptocurrency exchanges and wallets.

  • Recurring payments to the same beneficiary-- the initial one-time payment could become recurring (though the value of each payment could change). Moreover, the payer and payee may have no other obvious connection outside of these payments.

  • New customers-- victims could be new to paying in cryptocurrency and may not use cryptocurrency exchanges outside of these transactions.

The Catfishing Scam

This type of scam is typically carried out through organised criminal efforts, where fake profiles of women are created and used to entice men into performing sexually compromising acts on camera that are then recorded and used as blackmail. Recent cases have seen such activity linked to Romanian crime groups and call centre-style establishments out of the Philippines. Some photos and videos used to create these women are assessed to originate from coerced activity.

Financial Crime Implications

  • Payments from victims--these could come through as FPS payments, and, like with phishing scams, could to be larger amounts followed by recurring payments of varying amounts.

  • Adverse media checks--some KYC details including contact information and residential address may be found through adverse media checks to be connected to alleged romance fraud, dating scams or catfishing.

  • Organised activity--as these types of sextortion scams are often centrally organised, network analysis can be conducted on suspect accounts.

The Blackmail Trade

Blackmail trading can be done through organised criminal groups or more decentralised networks. This type of sextortion typically targets women, and overwhelmingly women under the age of 18. In some cases, children’s sites have deliberately been exploited to find potential victims. It begins similarly to catfishing, with the victim being encouraged into sexually compromising activity, which is then used as blackmail to extort further sexual activity. When the perpetrator grows bored of the victim, they will sell the blackmail material (and by extension, the victim) to a buyer who continues the activity.

Financial Crime Implications

  • Perpetrator to Perpetrator payments--as the payments are for blackmail, amounts could be smaller sums (e.g., £50 to £200) that are one-off payments and may be done through P2P platforms as the parties may know each other. They could be less likely to recur.

  • Payment references--check suspicious payments for references to sexual acts, children’s websites and the name of a woman in a payment between two men.

In all of these cases, unlike other scams, victims rarely ever report the abuse. The implications can be devastating and have been linked to suicide and non-virtual sexual violence. Even when victims do manage to escape, the fear remains. More effort is needed not just to help potential victims protect themselves, but also to crack down on the financial trail behind these activities. The latter - if addressed correctly - has significantly more chance of identifying rings and perpetrators than relying solely on victims reporting crimes, and is another area where public-private partnership could be used to powerful effect.

If you’d like to further discuss this type of crime or other serious predicate offences and how they are financed, don’t hesitate to get in touch.

Why Swiss Plans To Relax AML Regs For FinTech May Do More Harm Than Good

At FINTRAIL we think the Swiss plans to relax Anti-Money Laundering (AML) rules for FinTech under a certain size may actually be a bad idea for the industry and cause those that take advantage longer term harm and complexity.

We fully recognise that for small and early stage companies, complying with AML and Anti-Financial Crime (AFC) requirements can feel burdensome however it comes with a couple of significant advantages. Firstly, embedding AFC at an early stage is not just about complying with regulations, it's about building a strong compliance culture from scratch: by creating a false pause in the need to do this frankly just makes the process harder when you do need to do it due to regulatory requirements. Secondly, by making people think about AFC from the start, they can build in controls, make product changes easily, and generally make AFC a contributing factor to a great customer experience. Removing the drivers to set up an AFC framework from the start will mean that companies start bolting-on controls, and - as we all know from the legacy institutions - that becomes supremely difficult.

At FINTRAIL we feel very privileged to work with dozens of FinTech companies who are at different stages of development and fall under a range of regulatory regimes: one advantage they all have over legacy institutions is that they are thinking about AML/AFC from day one. Is it hard to deal with regulations - yes, of course, but by building it into the very foundation of the company and product they end up in a much better position long-term. It is driving innovation and forcing people to think differently about AML/AFC, their customers and products, and embedding a strong AFC culture from the start that remains as agile as the product development itself. If you want to rapidly scale your business and have a genuinely effective AFC regime, bolting that on is not the way to do it.

Our view is that rather than removing the need to comply with AML regulations, regulators should be looking at how they can simplify the process of complying for those that are at an early stage of their disruptive journey. In our mind that is about providing far more education and support.  It would also give regulators the chance to simplify the language used in regulations to make them easier to understand and thereby implement, while not removing the spirit of what these companies need to become accustomed to dealing with as they scale.

Cryptocurrencies: Getting Serious About Financial Crime Risk Management

Key Points


 ·      Global policymakers have set their sights on cryptocurrencies, signalling that tackling the related financial crime risks is a major security priority

·      With the adoption of the Fifth Money Laundering Directive (5AMLD), cryptocurrency exchanges and wallet providers across the EU will soon face direct regulatory scrutiny and must ensure that they have appropriate financial crime risk management frameworks in place

·      In countries such as the US, where crypto-related AML/CTF regulation has already been in place for some time, regulators have indicated that they will intensify scrutiny of crypto businesses

·      Banks and other financial institutions are also facing pressure from regulators to manage their exposure to cryptocurrencies and related risks

·      The foundations for implementing a successful risk-based approach to cryptocurrencies rests on several pillars: conducting thorough risk assessments; defining risk appetite; cultivating staff competency and subject matter expertise; developing robust governance arrangements; developing, deploying and testing bespoke tools; and collaborating with industry peers

·      In this briefing, FINTRAIL explores how companies can successfully manage cryptocurrencies’ unique financial crime risks in an innovation-friendly manner


 The EU’s adoption of the Fifth Money Laundering Directive (5AMLD) in July 2018 marks an important moment for cryptocurrency businesses across Europe.

By January 2020, EU member states must bring crypto exchanges and custodial wallet providers within the scope of their anti-money laundering and countering the financing of terrorism (AML/CFT) regulation.

The so-called ‘Wild West’ environment for crypto businesses is coming to an end.

5AMLD will put the EU’s crypto industry on par with peers in the US, where the Financial Crime Enforcement Network (FinCEN) clarified in 2013 that crypto exchanges are subject to AML/CFT regulation.

Many in the EU’s crypto industry have attempted to get ahead of the curve.

Even prior to 5AMLD’s adoption, some crypto businesses across the EU had implemented AML/CFT policies and procedures, demonstrating their intention to be responsible actors. Europol has noted that, even absent formal regulation to date, many crypto exchanges across the EU, ‘aim to comply with AML requirements regarding customer due diligence and transaction monitoring . . . [and] many have shown themselves to be willing and capable of supporting [law enforcement] investigations.’[1] 

5AMLD nonetheless marks a turning point. EU crypto exchanges and wallet providers can’t merely be compliant on paper or on a voluntary basis any longer. They will soon be expected to demonstrate to regulators that they are actively managing their financial crime risks in a proportionate and effective manner. Failure to do so could mean fines or other penalties for crypto businesses that fail to meet regulators’ expectations.

In countries where crypto-related regulations are already in place, such as the US, signs point to a climate of intensifying regulatory scrutiny. In March of 2018, FinCEN issued guidance stating that the exchange of Initial Coin Offerings (ICOs) falls within its remit. In April 2018, New York’s Attorney General’s Office launched an inquiry into the accountability and transparency of crypto exchanges, requesting that thirteen major crypto exchanges disclose information about the nature of their compliance frameworks, including their AML/CFT programmes.

It’s not only crypto exchanges that are coming under the microscope. Regulators are putting increasing pressure on all financial institutions to manage cryptocurrency risks. In June 2018, the UK’s Financial Conduct Authority (FCA) published a letter to firms in which it set out its expectation that banks and other financial institutions should evaluate and manage the crypto-related financial crime risks they face.

Beyond the US and Europe, from Canada to Japan to Australia and beyond, regulators are taking a closer look at the nature of cryptocurrency risks and how the financial sector is managing them. The Financial Action Task Force (FATF) is currently reviewing the applicability of global AML/CFT standards to cryptocurrencies, demonstrating the renewed will of global policymakers to tackle the perceived risks. 

In this environment, it may be tempting to find quick fixes and to address new risk management challenges with old compliance solutions.

Unfortunately, the same old approaches won’t work.

Cryptocurrencies present unique financial crime risk management challenges that warrant unique solutions.

 A thoughtful risk-based approach to cryptocurrencies requires thinking outside the box.

In this briefing paper, we share our thoughts about how firms in the crypto industry and in the broader financial sector can meet the challenge.

The Crypto Industry 


Crypto businesses need to keep in mind that ‘compliance’ is not just about ticking boxes.

Best practice in AML/CFT is about thoughtfully managing risk.

 A well-calibrated risk-based approach can allow a crypto exchange or wallet provider to establish a truly comprehensive financial crime risk management framework that protects the integrity of its business, reduces exposure to financial crime and mitigates regulatory risk.

We’ve identified five key areas that can help a crypto business build a best-in-class risk management framework. 

#1 Assessing Risk

 A well-designed risk based approach starts with a thorough financial crime risk assessment.

For crypto businesses, a risk assessment that takes account of the unique features and challenges of crypto products and services is essential.

What’s more, it is important to develop a risk assessment framework that is scalable and can be used to evaluate changes in risk exposure as a company grows. 

Current regulatory guidance, such as the UK’s Joint Money Laundering Steering Group (JMLSG), sets out factors to consider when undertaking a firm-wide risk assessment:

·      Geography – Crypto businesses should assess risks related to where they are located and where they offer services. For example, is a crypto exchange registered in a jurisdiction with a strict regulatory environment, and how does this operating environment impact its risk profile? Is the platform accessible from jurisdictions subject to international sanctions? Is the service available in countries with high levels of terrorist financing? 

·      Customers – A crypto business should also consider whether factors about its specific customer base could impact its overall risk profile. For example, does it have any customers who are politically exposed persons (PEPs)? If so, who are those PEPs and does their source of wealth present any red flags? Are customers who are nationals of countries associated with high levels of human trafficking creating accounts in large numbers, and if so, do those accounts present signs of unusual activity?

·      Product – A crypto business needs to consider how any product features might impact its risk exposure. Does the product enable the rapid conversion of fiat currency to crypto in a way that might prove attractive to money launderers? Is the product vulnerable to high value money laundering, or do its features present a risk of lower-value money mule activity that can be pervasive but difficult to detect?

·      Delivery channel – A crypto business also needs to think carefully about the risks related to how customers access its product or platform. Is it only accessible online? Or does the product involve Bitcoin ATMs or other physical infrastructure that customers can use?

In addition to assessing these general risk categories, crypto businesses should think carefully about the money laundering and terrorist financing risks that their specific offerings present.

For example, whether they provide an online exchange service, a crypto ATM network or crypto prepaid cards, crypto businesses will face unique money laundering typologies and criminal vulnerabilities that are highly specific to their business type. Recent cases suggest that criminals are becoming savvier in exploiting a diverse range of crypto-related products and services, seeking out platforms that allow them to engage in increasingly complex money laundering schemes. Developing bespoke risk management solutions requires understanding these typologies in detail.

Crypto business should also assess the financial crime risks around the types of cryptocurrencies they provide. For example, privacy coins with high levels of anonymity such as Monero may present unique risks and challenges. It may prove challenging to monitor customer activity where these coins are present. Crypto exchanges that offer privacy coins to customers need to be aware of the resulting impact on their risk profile.

It’s important to remember that a risk assessment process should be supported by a sound methodology that enables a company to understand the evolution of its risks over time. This should include:

·      developing a logical approach to measuring inherent and residual risks;

·      ensuring risk assessment findings are thoroughly documented and presented clearly to senior management; and

·      having processes in place for updating the risk assessment, in whole or in part, when new business lines and products are launched, geographical expansion occurs or other trigger events arise.


#2 Defining Risk Appetite

 When a business understands its risks, it can decide which risks it finds acceptable, and those it finds too high.

A financial crime risk appetite statement can allow a crypto business to scale and develop new products and services in a thoughtful manner that ensures commercial goals are achieved without taking on excessive risk. As the Financial Stability Board has indicated[2], a good risk appetite statement can achieve several goals, including:

·      setting quantitative measures that track exposure to key risks, enabling proactive mitigation of risks before they become unacceptably high;

·      establishing limits to risk taking so that staff have a clear understanding of unacceptable risks; 

·      defining staff members’ roles and responsibilities for mitigating risks; and

·      providing a baseline against which assurance functions can test that systems and controls are enabling the company to operate within its risk appetite.

By clearly defining the levels of risk they are willing to assume, a company’s senior management can establish a clear ‘tone from the top’ and foster a strong company culture. Failure to do so can result in a lax risk management environment that leaves the company exposed to reputational and regulatory risk.

 #3 Building a Compliance Team and Governance Arrangements

A strong company culture on financial crime is only possible if supported by a competent and effective team of suitably qualified AML/CTF compliance professionals.

Even the smallest crypto companies should ensure that they have adequately experienced staff who understand financial crime risks, regulatory requirements and appropriate control measures. To this end, it is important to make sure that staff have received appropriate training. As the UK’s JMLSG[3] advises, training should include ensuring staff awareness of:


·      the company’s risks, as identified in its financial crime risk assessment;

·      the company’s financial crime policies, procedures, systems and controls;

·      AML/CTF regulatory requirements applicable to the company, and the consequences of breeching those requirements;

·      the types of high risk customers the company encounters, and enhanced due diligence (EDD) measures that are in place to manage them; and

·      red flag indicators of suspicious activity specific to the company’s product and service offerings, and procedures for filing suspicious activity reports (SARs).

Larger companies should think carefully about how to structure their compliance functions so that risks are managed appropriately, and to ensure that senior management can monitor those risks over time. Compliance teams should be suitably resourced and visible within the company.

This may be accomplished, in part, by establishing financial crime risk committees that are comprised of senior risk and compliance staff and that review key management information to assess the effectiveness of controls and identify emerging risks. Robust governance arrangements can ensure that risk management functions are on the front foot against financial crime and are not merely reactive.  

#4 Choosing and Tuning Tools 

To be effective, a financial crime compliance team must be more than just impressive-sounding titles.

Compliance functions must develop and utilise effective AML/CTF policies and procedures whilst having access to systems and controls that are proportionate to the risks their business faces.

Policies and procedures should be developed with the aim of mitigating a company’s risks as identified in its risks assessments. This could include, for example, having in place specific EDD measures for identifying customers’ source of wealth where less transparent products or services are used.

Financial crime systems and controls – such as identification and verification tools, transaction monitoring systems and sanctions screening solutions – should be appropriately calibrated to ensure a firm can operate within its risk appetite.

Bitcoin ‘track and trace’ forensic tools have also been developed and are already assisting many crypto industry participants in identifying and managing risks.

These systems and controls should be subject to regular audit and testing to ensure they mitigate key risks and meet regulatory expectations. 

As JMLSG notes[4], effective systems and controls are generally characterised by factors such as:

·      alignment with regulatory requirements and expectations;

·      appropriate resourcing; and

·      competent staff operating the controls.

Whether a company chooses to undertake internal or external audit, it needs to be able to demonstrate that systems and controls are compliant whilst also enabling it to manage its risks in practice. 


#5 Working with Partners

 Strength is in numbers, and crypto businesses can bolster their defences against financial crime by sharing information with their industry peers.

At FINTRAIL, we’ve co-founded the FinTech Financial Crime Exchange (FFE), a partnership of over 50 UK FinTech companies, including several of the UK’s leading cryptocurrency firms.

Through the FFE, crypto and other FinTech companies can share information on financial crime typologies they encounter and best practices for prevention and deterrence.

Proactive involvement in industry partnerships, self-regulatory organisations and other similar platforms can enable a company to stay on the front foot against financial crime.

Other Financial Institutions


It’s not just crypto businesses that need to be aware of the changing regulatory climate. Banks and other financial institutions must be alert to the crypto-related risks they face.

As the UK’s FCA stated in its letter to firms in June 2018, ‘You should take reasonable and proportionate measures to lessen the risk of your firm facilitating financial crimes which are enabled by cryptoassets.’[5]

We’ve identified some ways that non-crypto financial institutions can tackle the crypto challenge.

#1 – Measure Risk Exposure

Banks and other firms should not just make blanket assumptions about the nature or extent of cryptocurrency-related risks they may face. A risk assessment and benchmarking exercise can assist in determining the extent of any exposure, whether direct or indirect, a firm may have to cryptocurrency services and users. For example:

·      a large bank undertakes a review of customer transactions to determine whether any customers are acting as unlicenced crypto brokers on sites such as;

·      a prepaid card provider conducts a review of customers’ spending patterns to determine which customers are buying cryptocurrencies from exchanges, and to understand the nature of that activity;

·      a wealth management firm conducts a risk-based review to determine whether any high net worth customers may obtain their source of wealth from cryptocurrencies, ICOs or other crypto-related products.  


#2 – Develop Risk-Based Business Strategies

 Having assessed the nature of any exposure to cryptocurrencies, a firm can begin to make informed decisions about the types of cryptocurrency-related activity it is willing to accept.

Understanding risks and assessing them in a thoughtful way can allow firms to move beyond knee-jerk de-risking of cryptocurrency-related business.

A thoughtful-risk based approach enables firms to maintain exposure to crypto activity and seek opportunities in this exciting new space without taking unnecessary risks.

For example, a firm can implement an approach that allows it to:

·      accept cryptocurrency activity that presents relatively low levels of risk, such as simple trading of Bitcoin on a regulated exchange;

·      engage cryptocurrency businesses that operate in certain jurisdictions but not in others that would present risks of sanctions breeches or other unacceptable activity; and

·      clearly articulate those crypto-related products and services it is not willing to accept so that staff are aware of activity that may not be pursued.

#3 – Cultivate Expertise 

Banks and other firms should develop knowledge of cryptocurrencies among their AML/CTF compliance staff, as well as among their financial intelligence units and investigative teams.

Training and ongoing educational opportunities on cryptocurrencies should be provided to key staff members, who will then be equipped to play a proactive role in managing risks in a thoughtful and truly risk-based manner.

Crypto-focused training can include developing staff understanding of:

·      relevant financial crime typologies;

·      available crypto-related products and services;

·      significant industry developments; and

·      the evolving regulatory landscape around cryptocurrencies.


#4 – Deploy Bespoke Controls

It’s important to avoid the temptation to treat cryptocurrency risks like any other financial crime risks.

Cryptocurrency risks warrant bespoke approaches.

When assessing the risks around customers or transactions involving cryptocurrencies, firms should measure risks considering the unique circumstances of the situation.

For example, if a pre-paid card customer is observed purchasing cryptocurrencies from an exchange, it may help to understand if that exchange has a sound reputation and is subject to regulation before deciding if the activity is acceptable or not. This requires having in place a carefully designed methodology for assessing the risk factors around cryptocurrency exchanges.

Developing an effective control framework can also include considering whether to utlise cryptocurrency forensic tools for monitoring customers’ crypto activity or for use in conducting complex investigations in support of SAR filings.

What’s important is that these controls are designed and deployed in a thoughtful manner, and tested to ensure they work effectively.


Summing Up


As regulators take a closer look at cryptocurrencies, firms must take the initiative and ensure they are managing the financial crime risks.

Whether you’re a cryptocurrency exchange, retail bank, FinTech or other financial institution, the time to begin building a robust crypto risk management framework is now.

At FINTRAIL, we’re equipped to assist your business in its cryptocurrency risk management journey. Whether it’s

·      designing bespoke risk assessment methodologies and conducting risk assessments;

·      defining risk appetite statements and measuring adherence to risk appetite;

·      developing and delivering financial crime training;

·      establishing and supporting financial crime committees and other governance arrangements;

·      designing new policies processes, tools and systems; or

·      establishing audit and assurance arrangements, and conducting tests of systems and controls


Our team of consultants is here to help.


[1] Europol, From Suspicion to Action: Converting financial intelligence into greater operational impact, 2017, p. 18.

[2] See

[3] See JMLSG, chapters 7.29 – 7.41.

[4] See JMLSG, chapter 3.35.


Geopolitics & Cryptocurrency

Cryptocurrencies have been a controversial topic in the FinTech space and wider financial sector in recent years.  Despite a reputation for higher financial crime risk, their increased popularity makes them difficult to ignore and financial institutions are looking for compliant ways to engage.  With evidence to suggest that sanctioned governments are using cryptocurrencies, a robust and responsive risk approach is necessary.

Korean Cryptocurrency

The divisions between north and south are complex, but at first glance it would seem South Korea leads when it comes to the FinTech sector, and more specifically cryptocurrency trading.  Along with Japan, they are regional leaders and South Korea is home to some of the world’s largest crypto-exchanges, including Bithumb and Upbit, with a disproportionate volume of trade passing through its markets.

There has appeared in recent months to be the potential for a thawing of international relations for North Korea, which has been under UN sanctions since 2006, and US sanctions from as far back as 1950.  In recent weeks there have been renewed calls from Kim Jong Un’s regime for an end to US sanctions, following the North Korea-US summit in June, where Donald Trump suggested an agreement could be reached.  But with latest UN reports suggesting the Kim regime is continuing to build their nuclear military capability, a lifting of sanctions is unlikely to happen soon. This makes any North Korean involvement in the relatively borderless market of cryptocurrency trading a cause for concern.  

As sanctions persist, the decentralized, interconnected and potentially anonymous nature of cryptocurrencies offers a portal into the international economy.  It is a way to circumvent economic restrictions that hold the country in poverty, and to continue to fund the country’s nuclear programme which is estimated to cost 30% of the country’s GDP.  Despite the hardship of ordinary people, Kim is himself worth an estimated $5 billion. An unsurprising fact, as North Korea is among the most corrupt in the world, currently 171 out of 180.  Much of Kim’s wealth is rumoured to be held overseas, making the illicit movement of funds a high priority and the under-regulated alternative of cryptotrading very attractive.  The difficulty of tracing the source of virtual funds, especially when trading involves private coins that anonymise the seller and buyer, is compounded when digital assets are exchanged for legal tender.  The dollars, euros or pounds can be entirely without trace of their suspicious origins.

The regime has also allegedly turned its hand to simple theft of cryptocurrencies.  Utilising established cyber capabilities, witnessed in such devastating international cyber attacks as 2017’s WannaCry ransomware attack, North Korea is the main suspect behind at least three successful hacking attempts of cryptocurrency exchanges within the past year. This includes the security breach of the Japanese exchange Coincheck in January, where an equivalent of $530 million worth of coins and tokens was stolen. It is uncertain how much of this reached North Korea, although some estimate the regime was in possession of $200 million worth of Bitcoin and other cryptocurrencies as of March 2018.

Russia’s Crypto Measures

Along with ongoing talk of a national Russian cryptocurrency, the CryptoRuble, that could potentially evade sanctions, another example of the growing interplay between state-sponsored financial crime and digital assets can be seen in Russia’s alleged meddling in the 2016 US election.  Last month, as part of the ongoing Special Investigation led by Robert Mueller into Russian active measures to influence the outcome of the election, 12 Russian nationals were indicted for hacking email accounts affiliated with Hillary Clinton, using cryptocurrencies in an attempt to cover their tracks.  

The perceived anonymity of cryptocurrencies made them the means of choice for facilitating this cross-border criminality.  However, in this case, they were in fact the means by which the criminals were identified. In the indictment, conspirators were identified using the same pool of bitcoin funds to purchase infrastructure that was used for the hacking, such as a virtual private network (VPN).  They also raised funds through bitcoin mining.

It also detailed how they obscured the origin of bitcoin they received:

‘this included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.  They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.’

As the indictment shows, attention to the mechanisms of virtual currency trading is increasingly relevant to the crime itself.  They laundered ‘the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies’.  The growing awareness and recognition of the intricacies of the cryptomarket by authorities, means the same will be expected of financial institutions. It was noted the 12 Russians used a mix of currencies including US dollars so the border between fiat and cryptocurrencies needs to be understood as an institution that believes itself to deal only in one or the other, is likely exposed to both.

Practical Steps for FinTechs

With over 1500 cryptocurrencies currently in circulation, a first step for a FinTech engaging with cryptocurrencies is to be aware of the relative risk of different cryptocurrencies, with the highest risk being private coins and of course coins created by sanctioned entities, such as Petro coin by Venezuela.

Weak KYC and verification processes on signing up for an account with a crypto-exchange is an important factor.   Weak KYC can be deliberately aimed at encouraging wider adoption, with minimal identification required, often with an ideological basis of preserving the anonymised freedom of the virtual realm.

Geography is central to assessing financial crime risk.  While the majority of exchanges have some restrictions in place for the jurisdictions they serve, usually in line with international sanctions, others such as Russian crypto-exchange Simex will allow a North Korean citizen to sign up for an account.

Regulatory status of a crypto-exchange is a particularly fast evolving risk factor.  There is a global move towards both self-regulatory organisations and the establishment of regulatory authorities.  However it is evident that exchanges with lower levels of regulation often have more users and more coins on offer. A lack of oversight that makes these platforms more vulnerable to financial crimes like money laundering, terrorist financing and yes, sanctions evasion.


While cryptocurrency trading continues to shift and adapt to geopolitical trends, FinTechs are excellently placed to respond to changes as they emerge. A comprehensive understanding of the unique financial crime risks surrounding cryptocurrencies and how this is situated in its political landscape will allow firms to assess both the individual customer and their virtual funds in their full context.  Cryptocurrency trading is one weapon in the cyber arsenal of hostile states such as North Korea and this dimension of risk from sanctioned entities should be included by any FinTech looking to deal with crypto funds. As seen in the case of Russian active measures, proper controls can go far in tracing criminal use of cryptocurrencies, and - with the accuracy and permanence of digital transaction data - perhaps even more so than traditional currencies.

5AMLD - What To Look Out For

Just over a month ago, the final text of the Fifth Anti-Money Laundering Directive (5AMLD) was published, kicking off the 18-month countdown until it comes into play. Its precise, full impact is unknown for now, but it is expected to significantly impact the way governments, regulators and businesses in Europe have to approach financial crime risk.

What’s the rush?

This new directive followed the former surprisingly quickly in large part due to the rising popularity of digital currencies combined with the hysteria following the Panama Papers. Given it’s only been 2 years since the last AMLD was adopted (some countries are still trying to implement it), compared to the 12-year gap between the previous AMLDs, it is clear the European Commission is focused on reassuring people and businesses that they are on top of new and developing issues.

What does 5AMLD actually change?

The key change from the 4AMLD comes in the definition of “obliged entities”, increasing its scope to include virtual currencies, anonymous prepaid cards and other digital currencies. Previously, there have been no specific laws aimed to cope with the risks of virtual currencies and it’s clear that with this new directive, the European Commission is intent on making sure that virtual currencies do not become a safe space for criminality. It also shows clear signs of their move to increase the scope of the fight against money laundering (ML) and terrorist financing (TF), as criminals can take advantage of the anonymity of virtual and digital currencies.

The other key aspect of the 5AMLD is that it further clarifies the requirements and timings for the implementation of the required beneficial ownership registers introduced in the 4AMLD. Essentially, member states and the European Commission will be required to keep accurate and up to date registers that must be interconnected to the European central platform. This integration will allow for more efficient information sharing, making it easier to combat ML and TF.

Other features include the adjustments made to address Politically Exposed Persons (PEPs), expanding the definition and pledging to publish a combined list of EU and Member states’ lists of all prominent public functions. Traditionally, a “one size fits all” and “once a PEP, always a PEP” approach has been used, but this system is not adequately risk-based. The new regulations hope to address this issue by integrating a more nuanced and comprehensive approach to identifying and managing the financial crime risked linked to PEPs.

There is also set to be enhanced co-operation and information sharing among EU Financial Intelligence Units (FIUs) in the hope that this will make information more easily accessible and align with international best practices. FIUs across the EU receive broader powers under the 5AMLD as they will no longer need be limited to the identification of a predicate offence or suspicious activity report prior to filing an information request.

So, how to prepare?

With this new directive being introduced, here are a few things firms may want to consider in preparation:

1)    Virtual Currencies – 5AMLD will require obliged entities, i.e. providers engaged in exchange services between virtual and fiat currencies, to be registered and to comply with AML and CFT requirements. National authorities will be authorized to obtain all the associated information and regulate them accordingly. Exchanges that fall under the definition of an obliged entity will need to start benchmarking their existing frameworks against existing EU and jurisdiction specific AML & CTF controls and making any appropriate enhancements.

2)    PEP Categorisation – With changes being made to PEPs, firms may want to start thinking about how they categorise PEPs and how they apply different levels of monitoring such that when the new categorisation criteria come in, they are prepared

3)    Increased Reporting – Under new business ownership discrepancy rules, firms will be obliged to report discrepancies they find between the beneficial ownership information available in the central registers and their own registers. In the case of reported discrepancies, Member States will be obliged to ensure that appropriate actions be taken to resolve the discrepancies in a timely manner.

4)    Due Diligence Advances – 5AMLD will require a specific Enhanced Due Diligence list to be applied when dealing with high-risk countries defined by the European Commission. You should review and update your due diligence processes to ensure full compliance.

If you need any help scoping enhancements for implementation or indeed reviewing whether your current procedures meet the requirements of EU or jurisdiction specific requirements, FINTRAIL will be happy to offer assistance.

UK Suspicious Activity Reports (SAR) - Balancing Customer Experience in a FinTech

Suspicious Activity Reports (SARs) are familiar to many of us as the mechanism used by obliged entities to report suspicion of money laundering or terrorist financing to relevant authorities. However, the SAR process can cause some challenges for early stage FinTechs who are trying to balance regulatory requirements with transparent and customer centric service. It is something we get a lot of questions about, so we thought we would outline some hints and tips on things to think about.

In the asymmetrical game of whack-a-mole that is the fight against financial crime, SAR’s are a useful but sometimes imperfect tool for generating intelligence about financial criminals. Notifying the appropriate financial crime enforcement unit such as the National Crime Agency (NCA) when a Defence Against Money Laundering SAR (DAML) is required is not only the right thing to do but also usually a regulatory and legal requirement. DAML SARs, as the name implies, are reports that describe the most important facets of activity that could be regarded as suspicious and indicative of money laundering.  Their regulatory purpose can’t be understated, as they act a conduit between the events themselves, the handling of the questionable funds, and possible investigation by law enforcement.

However, the nature of SARs and the context they operate in can be challenging. This is especially true for companies and especially start-ups in the FinTech sector who are seeking to meet their regulatory and legal requirements while also providing a great customer experience. FinTechs are operating in an interesting era, where customer feedback on social media and review sites such as TrustPilot have tangible impact on the success of a product or service. They also provide a challenge to financial crime teams and those responsible for public relations (which we discuss below).

We aren’t going to dive deep in to the overall requirements of the SAR regime in this blog, we would be here for some time! Instead, we will focus on a few practical tips for FinTechs to consider when balancing customer experience and their regulatory and legal requirements. Wider SAR guidance is available from the likes of the NCA and the team at FINTRAIL are always available to offer advice.

1.    It will happen

The first thing we stress to our customers who form part of the reporting regime is that, at some stage, you will to have to deal with a customer and the SAR process. You are better developing a simple internal process before it happens. Think about what your team needs to do when dealing with a customer subject to an investigation before you have the additional pressure of them asking for answers. Equally, ensuring you have clear customer off-boarding/exit process will also ensure this is done in a timely and fair way. Once you have a process established, ensure your team is well trained and understands the risks and challenges associated with customer investigations.

2.    Don’t Panic

The language around SARs and things like “tipping-off” can be intimidating, especially when you see terms like criminal offence. Don’t panic about this. By doing step 1 first you will be able to make sure you meet your obligations. No one is perfect, and mistakes sometimes get made, just make sure to learn from those opportunities.

3.    Have a strategy for customer engagement

It’s well known - particularly in the FinTech community, where customer interaction is vital, immediate and direct - that some of those who engage in financial crime are wily and tenacious. They can be hostile in their communications once transactions are blocked, or accounts are suspended pending investigation or the submission of a SAR. Those who must deal with them are presented an unenviable operational challenge: they cannot give anything away that would make the criminal suspect they are the subject of investigation/SAR (“tipping off”), but nor can they lie and treat the customer unfairly.

Each instance is different, but there are some suggestions that are practical for most encounters:

  • Don’t ignore customers, as positive engagement is a better strategy than ignoring them. Be polite, professional and responsive but have a clear line and stick with it.

  • Proactively provide your customer ops or support teams with standard lines or approaches to take in response to customer enquiries. Make sure they have training on these approaches and they are broadly consistent.

  • Trust in your policies and processes, they are there for a reason. However, if you find something has gone wrong make sure you capture the reasons and put it right.

  • Do not be swayed by threats. This is a tactic we have seen used on several occasions to try and force a response from the obliged entity and put those people dealing with them under increased pressure.

  • As an organisation, you should have a zero-tolerance policy to harassment or intimidation and if this occurs you should immediately involve your local law enforcement.

  • Just because they are subject to a SAR doesn’t mean their rights as a customer are suspended. Refer them to relevant departments, such as complaints, in the appropriate circumstances.

  • Sometimes it’ll be necessary to move the case up the chain to someone on the team with greater authority or more knowledge of the situation. Knowing when to do this, and when not to, is important.

  • Be responsive on social media and to customer reviews. The compliance/financial crime and PR/social media teams can collaborate to standardise responses to negative feedback from customers on the back of investigation or exit process, without the risk of tipping-off.

  • However, do not get dragged in to drawn-out back-and-forth with customers on social media. Provide a clear, well-judged and visible response but do not allow them to bait you.

4.    Write clear and accurate SARs/DAML SARs

In the UK especially, the NCA receives hundreds of DAML requests every day and thousands of SARs. To help law enforcement process those requests as efficiently as possible and therefor provide you with the response you may be requesting, it is important to ensure you follow guidance and provide complete, well written and concise SARs. Equally, make sure you follow relevant guidance on when and when not to file a SAR or DAML SAR to avoid over filing and creating unwarranted operational challenges.


Without a doubt, SARs perform a valuable function, and they have proven their worth countless times by helping to start and inform investigations into criminal activity. However, the SAR process can cause operational and customer challenges that if considered before they happen, can be managed efficiently while still maximising a great customer experience.

GDPR Principles: Vetting Data Processors In A Digital World

GDPR no longer needs any introduction, and here at FINTRAIL, we loved collaborating with the team at Jumio to help them launch their GDPR e-booklet, which you can download here.  

Together, we came up with 5 key principles that we think best help data controllers understand the activity of their online identity verification providers, and whether or not they’re fully GDPR compliant. Data processors in this space handle vast amounts of sensitive, personal data that, while integral to ensuring customers are who they say they are, can also be exploited or mishandled.  As such, GDPR compliant practices are key.

In brief, these are the main questions that controllers can ask of their processors which will help frame their thinking on this important aspect of compliance:

  1. Human Review: How are verification decisions made and what recourse do data subjects have to challenge those decisions?

    • GDPR gives individuals the right not to have significant decisions made about them solely on the basis of automated processing.

  2. Compliant Machine Learning: Does the data processor employ Compliant Machine Learning?

    • Under GDPR, vendors can only develop specific AI models trained on the data of a given customer and cannot leverage data from other customers to create more comprehensive models.

  3. Data Retention: Can data retention policies be tailored to your business requirements?

    • Clear processes around data retention and deletion help processors and controllers deal with the stipulations around Subject Access Requests.

  4. Data Breach Notifications: Do you have a data breach notification process in place and has it been tested?

    • Processors, as well as controllers need to be able to inform relevant parties of any data breach in a timely fashion; having clear and verified processes around this is one step in the right direction.

  5. Data Encryption: Is personal data encrypted and protected appropriately?

    • Proper data protection and encryption reduces the likelihood of a breach and increases the privacy of citizens’ information. GDPR stipulates that personal data is properly protected.

You can read more detail in the e-booklet of course, and find out even more information about GDPR, its implications for processors, how best to approach these questions, and exactly how Jumio is helping controllers maintain and manage their GDPR compliance through its innovative identity verification solutions and careful approach to data privacy.