Sextortion: The Underreported Predicate Offence

Cases of sextortion are on the rise; however, as this type of crime grows in prominence, its relation to financial crime remains under-explored.

In May 2018, the National Crime Agency warned that tens of thousands of Britons were being targeted by ‘sextortion’ gangs. Reported cases have increased three times since 2015, and in July 2018, reports of a new, related phishing scam began making their way into our newsfeeds.

Sextortion is not a legal term and is used to cover a broad range of criminal activities. Interpol offer one of the best definitions, classing it as ‘blackmail in which sexual information or images are used to extort favours and/or money from the victim.’

Despite growing awareness from both a law enforcement and potential victim perspective, little analysis has been done on the financial crime implications of sextortion, which are potentially significant.

To help shed light on the subject, we explore three models here--detailing how they operate and what money laundering red flags you should look for.

The Phishing Scam

Over the past couple months, law enforcement agencies from around the globe and across the UK have identified a new scam whereby perpetrators email victims alleging to have hacked into their webcam whilst they were watching pornographic content. The perpetrators request sums ranging from USD$200 to USD$8000 to be paid in Bitcoin and have allegedly made USD$500,000 in total off of the scam thus far. Other phishing scams linked to sextortion exist as well, meaning funds firms might have seen laundered  - and would normally attribute to classic phishing scams - could in fact potentially be proceeds from sextortion. The likelihood of this could increase with time as the success of recent sextortion-related phishing campaigns becomes publicised.

Financial Crime Implications

  • Cryptocurrency payments-- payments relating to sextortion cases may be requested in cryptocurrencies, so efforts should be made to cluster and risk rate bitcoin addresses, and this information could be communicated with FinTechs whose customers deal in cryptocurrencies or who directly facilitate cryptocurrency exchanges and wallets.

  • Recurring payments to the same beneficiary-- the initial one-time payment could become recurring (though the value of each payment could change). Moreover, the payer and payee may have no other obvious connection outside of these payments.

  • New customers-- victims could be new to paying in cryptocurrency and may not use cryptocurrency exchanges outside of these transactions.

The Catfishing Scam

This type of scam is typically carried out through organised criminal efforts, where fake profiles of women are created and used to entice men into performing sexually compromising acts on camera that are then recorded and used as blackmail. Recent cases have seen such activity linked to Romanian crime groups and call centre-style establishments out of the Philippines. Some photos and videos used to create these women are assessed to originate from coerced activity.

Financial Crime Implications

  • Payments from victims--these could come through as FPS payments, and, like with phishing scams, could to be larger amounts followed by recurring payments of varying amounts.

  • Adverse media checks--some KYC details including contact information and residential address may be found through adverse media checks to be connected to alleged romance fraud, dating scams or catfishing.

  • Organised activity--as these types of sextortion scams are often centrally organised, network analysis can be conducted on suspect accounts.

The Blackmail Trade

Blackmail trading can be done through organised criminal groups or more decentralised networks. This type of sextortion typically targets women, and overwhelmingly women under the age of 18. In some cases, children’s sites have deliberately been exploited to find potential victims. It begins similarly to catfishing, with the victim being encouraged into sexually compromising activity, which is then used as blackmail to extort further sexual activity. When the perpetrator grows bored of the victim, they will sell the blackmail material (and by extension, the victim) to a buyer who continues the activity.

Financial Crime Implications

  • Perpetrator to Perpetrator payments--as the payments are for blackmail, amounts could be smaller sums (e.g., £50 to £200) that are one-off payments and may be done through P2P platforms as the parties may know each other. They could be less likely to recur.

  • Payment references--check suspicious payments for references to sexual acts, children’s websites and the name of a woman in a payment between two men.

In all of these cases, unlike other scams, victims rarely ever report the abuse. The implications can be devastating and have been linked to suicide and non-virtual sexual violence. Even when victims do manage to escape, the fear remains. More effort is needed not just to help potential victims protect themselves, but also to crack down on the financial trail behind these activities. The latter - if addressed correctly - has significantly more chance of identifying rings and perpetrators than relying solely on victims reporting crimes, and is another area where public-private partnership could be used to powerful effect.

If you’d like to further discuss this type of crime or other serious predicate offences and how they are financed, don’t hesitate to get in touch.


Why Swiss Plans To Relax AML Regs For FinTech May Do More Harm Than Good

At FINTRAIL we think the Swiss plans to relax Anti-Money Laundering (AML) rules for FinTech under a certain size may actually be a bad idea for the industry and cause those that take advantage longer term harm and complexity.

We fully recognise that for small and early stage companies, complying with AML and Anti-Financial Crime (AFC) requirements can feel burdensome however it comes with a couple of significant advantages. Firstly, embedding AFC at an early stage is not just about complying with regulations, it's about building a strong compliance culture from scratch: by creating a false pause in the need to do this frankly just makes the process harder when you do need to do it due to regulatory requirements. Secondly, by making people think about AFC from the start, they can build in controls, make product changes easily, and generally make AFC a contributing factor to a great customer experience. Removing the drivers to set up an AFC framework from the start will mean that companies start bolting-on controls, and - as we all know from the legacy institutions - that becomes supremely difficult.

At FINTRAIL we feel very privileged to work with dozens of FinTech companies who are at different stages of development and fall under a range of regulatory regimes: one advantage they all have over legacy institutions is that they are thinking about AML/AFC from day one. Is it hard to deal with regulations - yes, of course, but by building it into the very foundation of the company and product they end up in a much better position long-term. It is driving innovation and forcing people to think differently about AML/AFC, their customers and products, and embedding a strong AFC culture from the start that remains as agile as the product development itself. If you want to rapidly scale your business and have a genuinely effective AFC regime, bolting that on is not the way to do it.

Our view is that rather than removing the need to comply with AML regulations, regulators should be looking at how they can simplify the process of complying for those that are at an early stage of their disruptive journey. In our mind that is about providing far more education and support.  It would also give regulators the chance to simplify the language used in regulations to make them easier to understand and thereby implement, while not removing the spirit of what these companies need to become accustomed to dealing with as they scale.

Cryptocurrencies: Getting Serious About Financial Crime Risk Management

Key Points

 

 ·      Global policymakers have set their sights on cryptocurrencies, signalling that tackling the related financial crime risks is a major security priority

·      With the adoption of the Fifth Money Laundering Directive (5AMLD), cryptocurrency exchanges and wallet providers across the EU will soon face direct regulatory scrutiny and must ensure that they have appropriate financial crime risk management frameworks in place

·      In countries such as the US, where crypto-related AML/CTF regulation has already been in place for some time, regulators have indicated that they will intensify scrutiny of crypto businesses

·      Banks and other financial institutions are also facing pressure from regulators to manage their exposure to cryptocurrencies and related risks

·      The foundations for implementing a successful risk-based approach to cryptocurrencies rests on several pillars: conducting thorough risk assessments; defining risk appetite; cultivating staff competency and subject matter expertise; developing robust governance arrangements; developing, deploying and testing bespoke tools; and collaborating with industry peers

·      In this briefing, FINTRAIL explores how companies can successfully manage cryptocurrencies’ unique financial crime risks in an innovation-friendly manner


Introduction

 The EU’s adoption of the Fifth Money Laundering Directive (5AMLD) in July 2018 marks an important moment for cryptocurrency businesses across Europe.

By January 2020, EU member states must bring crypto exchanges and custodial wallet providers within the scope of their anti-money laundering and countering the financing of terrorism (AML/CFT) regulation.

The so-called ‘Wild West’ environment for crypto businesses is coming to an end.

5AMLD will put the EU’s crypto industry on par with peers in the US, where the Financial Crime Enforcement Network (FinCEN) clarified in 2013 that crypto exchanges are subject to AML/CFT regulation.

Many in the EU’s crypto industry have attempted to get ahead of the curve.

Even prior to 5AMLD’s adoption, some crypto businesses across the EU had implemented AML/CFT policies and procedures, demonstrating their intention to be responsible actors. Europol has noted that, even absent formal regulation to date, many crypto exchanges across the EU, ‘aim to comply with AML requirements regarding customer due diligence and transaction monitoring . . . [and] many have shown themselves to be willing and capable of supporting [law enforcement] investigations.’[1] 

5AMLD nonetheless marks a turning point. EU crypto exchanges and wallet providers can’t merely be compliant on paper or on a voluntary basis any longer. They will soon be expected to demonstrate to regulators that they are actively managing their financial crime risks in a proportionate and effective manner. Failure to do so could mean fines or other penalties for crypto businesses that fail to meet regulators’ expectations.

In countries where crypto-related regulations are already in place, such as the US, signs point to a climate of intensifying regulatory scrutiny. In March of 2018, FinCEN issued guidance stating that the exchange of Initial Coin Offerings (ICOs) falls within its remit. In April 2018, New York’s Attorney General’s Office launched an inquiry into the accountability and transparency of crypto exchanges, requesting that thirteen major crypto exchanges disclose information about the nature of their compliance frameworks, including their AML/CFT programmes.

It’s not only crypto exchanges that are coming under the microscope. Regulators are putting increasing pressure on all financial institutions to manage cryptocurrency risks. In June 2018, the UK’s Financial Conduct Authority (FCA) published a letter to firms in which it set out its expectation that banks and other financial institutions should evaluate and manage the crypto-related financial crime risks they face.

Beyond the US and Europe, from Canada to Japan to Australia and beyond, regulators are taking a closer look at the nature of cryptocurrency risks and how the financial sector is managing them. The Financial Action Task Force (FATF) is currently reviewing the applicability of global AML/CFT standards to cryptocurrencies, demonstrating the renewed will of global policymakers to tackle the perceived risks. 

In this environment, it may be tempting to find quick fixes and to address new risk management challenges with old compliance solutions.

Unfortunately, the same old approaches won’t work.

Cryptocurrencies present unique financial crime risk management challenges that warrant unique solutions.

 A thoughtful risk-based approach to cryptocurrencies requires thinking outside the box.

In this briefing paper, we share our thoughts about how firms in the crypto industry and in the broader financial sector can meet the challenge.


The Crypto Industry 

 

Crypto businesses need to keep in mind that ‘compliance’ is not just about ticking boxes.

Best practice in AML/CFT is about thoughtfully managing risk.

 A well-calibrated risk-based approach can allow a crypto exchange or wallet provider to establish a truly comprehensive financial crime risk management framework that protects the integrity of its business, reduces exposure to financial crime and mitigates regulatory risk.

We’ve identified five key areas that can help a crypto business build a best-in-class risk management framework. 

#1 Assessing Risk

 A well-designed risk based approach starts with a thorough financial crime risk assessment.

For crypto businesses, a risk assessment that takes account of the unique features and challenges of crypto products and services is essential.

What’s more, it is important to develop a risk assessment framework that is scalable and can be used to evaluate changes in risk exposure as a company grows. 

Current regulatory guidance, such as the UK’s Joint Money Laundering Steering Group (JMLSG), sets out factors to consider when undertaking a firm-wide risk assessment:

·      Geography – Crypto businesses should assess risks related to where they are located and where they offer services. For example, is a crypto exchange registered in a jurisdiction with a strict regulatory environment, and how does this operating environment impact its risk profile? Is the platform accessible from jurisdictions subject to international sanctions? Is the service available in countries with high levels of terrorist financing? 

·      Customers – A crypto business should also consider whether factors about its specific customer base could impact its overall risk profile. For example, does it have any customers who are politically exposed persons (PEPs)? If so, who are those PEPs and does their source of wealth present any red flags? Are customers who are nationals of countries associated with high levels of human trafficking creating accounts in large numbers, and if so, do those accounts present signs of unusual activity?

·      Product – A crypto business needs to consider how any product features might impact its risk exposure. Does the product enable the rapid conversion of fiat currency to crypto in a way that might prove attractive to money launderers? Is the product vulnerable to high value money laundering, or do its features present a risk of lower-value money mule activity that can be pervasive but difficult to detect?

·      Delivery channel – A crypto business also needs to think carefully about the risks related to how customers access its product or platform. Is it only accessible online? Or does the product involve Bitcoin ATMs or other physical infrastructure that customers can use?

In addition to assessing these general risk categories, crypto businesses should think carefully about the money laundering and terrorist financing risks that their specific offerings present.

For example, whether they provide an online exchange service, a crypto ATM network or crypto prepaid cards, crypto businesses will face unique money laundering typologies and criminal vulnerabilities that are highly specific to their business type. Recent cases suggest that criminals are becoming savvier in exploiting a diverse range of crypto-related products and services, seeking out platforms that allow them to engage in increasingly complex money laundering schemes. Developing bespoke risk management solutions requires understanding these typologies in detail.

Crypto business should also assess the financial crime risks around the types of cryptocurrencies they provide. For example, privacy coins with high levels of anonymity such as Monero may present unique risks and challenges. It may prove challenging to monitor customer activity where these coins are present. Crypto exchanges that offer privacy coins to customers need to be aware of the resulting impact on their risk profile.

It’s important to remember that a risk assessment process should be supported by a sound methodology that enables a company to understand the evolution of its risks over time. This should include:

·      developing a logical approach to measuring inherent and residual risks;

·      ensuring risk assessment findings are thoroughly documented and presented clearly to senior management; and

·      having processes in place for updating the risk assessment, in whole or in part, when new business lines and products are launched, geographical expansion occurs or other trigger events arise.

 

#2 Defining Risk Appetite

 When a business understands its risks, it can decide which risks it finds acceptable, and those it finds too high.

A financial crime risk appetite statement can allow a crypto business to scale and develop new products and services in a thoughtful manner that ensures commercial goals are achieved without taking on excessive risk. As the Financial Stability Board has indicated[2], a good risk appetite statement can achieve several goals, including:

·      setting quantitative measures that track exposure to key risks, enabling proactive mitigation of risks before they become unacceptably high;

·      establishing limits to risk taking so that staff have a clear understanding of unacceptable risks; 

·      defining staff members’ roles and responsibilities for mitigating risks; and

·      providing a baseline against which assurance functions can test that systems and controls are enabling the company to operate within its risk appetite.

By clearly defining the levels of risk they are willing to assume, a company’s senior management can establish a clear ‘tone from the top’ and foster a strong company culture. Failure to do so can result in a lax risk management environment that leaves the company exposed to reputational and regulatory risk.

 #3 Building a Compliance Team and Governance Arrangements

A strong company culture on financial crime is only possible if supported by a competent and effective team of suitably qualified AML/CTF compliance professionals.

Even the smallest crypto companies should ensure that they have adequately experienced staff who understand financial crime risks, regulatory requirements and appropriate control measures. To this end, it is important to make sure that staff have received appropriate training. As the UK’s JMLSG[3] advises, training should include ensuring staff awareness of:

 

·      the company’s risks, as identified in its financial crime risk assessment;

·      the company’s financial crime policies, procedures, systems and controls;

·      AML/CTF regulatory requirements applicable to the company, and the consequences of breeching those requirements;

·      the types of high risk customers the company encounters, and enhanced due diligence (EDD) measures that are in place to manage them; and

·      red flag indicators of suspicious activity specific to the company’s product and service offerings, and procedures for filing suspicious activity reports (SARs).

Larger companies should think carefully about how to structure their compliance functions so that risks are managed appropriately, and to ensure that senior management can monitor those risks over time. Compliance teams should be suitably resourced and visible within the company.

This may be accomplished, in part, by establishing financial crime risk committees that are comprised of senior risk and compliance staff and that review key management information to assess the effectiveness of controls and identify emerging risks. Robust governance arrangements can ensure that risk management functions are on the front foot against financial crime and are not merely reactive.  

#4 Choosing and Tuning Tools 

To be effective, a financial crime compliance team must be more than just impressive-sounding titles.

Compliance functions must develop and utilise effective AML/CTF policies and procedures whilst having access to systems and controls that are proportionate to the risks their business faces.

Policies and procedures should be developed with the aim of mitigating a company’s risks as identified in its risks assessments. This could include, for example, having in place specific EDD measures for identifying customers’ source of wealth where less transparent products or services are used.

Financial crime systems and controls – such as identification and verification tools, transaction monitoring systems and sanctions screening solutions – should be appropriately calibrated to ensure a firm can operate within its risk appetite.

Bitcoin ‘track and trace’ forensic tools have also been developed and are already assisting many crypto industry participants in identifying and managing risks.

These systems and controls should be subject to regular audit and testing to ensure they mitigate key risks and meet regulatory expectations. 

As JMLSG notes[4], effective systems and controls are generally characterised by factors such as:

·      alignment with regulatory requirements and expectations;

·      appropriate resourcing; and

·      competent staff operating the controls.

Whether a company chooses to undertake internal or external audit, it needs to be able to demonstrate that systems and controls are compliant whilst also enabling it to manage its risks in practice. 

 

#5 Working with Partners

 Strength is in numbers, and crypto businesses can bolster their defences against financial crime by sharing information with their industry peers.

At FINTRAIL, we’ve co-founded the FinTech Financial Crime Exchange (FFE), a partnership of over 50 UK FinTech companies, including several of the UK’s leading cryptocurrency firms.

Through the FFE, crypto and other FinTech companies can share information on financial crime typologies they encounter and best practices for prevention and deterrence.

Proactive involvement in industry partnerships, self-regulatory organisations and other similar platforms can enable a company to stay on the front foot against financial crime.


Other Financial Institutions

 

It’s not just crypto businesses that need to be aware of the changing regulatory climate. Banks and other financial institutions must be alert to the crypto-related risks they face.

As the UK’s FCA stated in its letter to firms in June 2018, ‘You should take reasonable and proportionate measures to lessen the risk of your firm facilitating financial crimes which are enabled by cryptoassets.’[5]

We’ve identified some ways that non-crypto financial institutions can tackle the crypto challenge.

#1 – Measure Risk Exposure

Banks and other firms should not just make blanket assumptions about the nature or extent of cryptocurrency-related risks they may face. A risk assessment and benchmarking exercise can assist in determining the extent of any exposure, whether direct or indirect, a firm may have to cryptocurrency services and users. For example:

·      a large bank undertakes a review of customer transactions to determine whether any customers are acting as unlicenced crypto brokers on sites such as LocalBitcoins.com;

·      a prepaid card provider conducts a review of customers’ spending patterns to determine which customers are buying cryptocurrencies from exchanges, and to understand the nature of that activity;

·      a wealth management firm conducts a risk-based review to determine whether any high net worth customers may obtain their source of wealth from cryptocurrencies, ICOs or other crypto-related products.  

 

#2 – Develop Risk-Based Business Strategies

 Having assessed the nature of any exposure to cryptocurrencies, a firm can begin to make informed decisions about the types of cryptocurrency-related activity it is willing to accept.

Understanding risks and assessing them in a thoughtful way can allow firms to move beyond knee-jerk de-risking of cryptocurrency-related business.

A thoughtful-risk based approach enables firms to maintain exposure to crypto activity and seek opportunities in this exciting new space without taking unnecessary risks.

For example, a firm can implement an approach that allows it to:

·      accept cryptocurrency activity that presents relatively low levels of risk, such as simple trading of Bitcoin on a regulated exchange;

·      engage cryptocurrency businesses that operate in certain jurisdictions but not in others that would present risks of sanctions breeches or other unacceptable activity; and

·      clearly articulate those crypto-related products and services it is not willing to accept so that staff are aware of activity that may not be pursued.

#3 – Cultivate Expertise 

Banks and other firms should develop knowledge of cryptocurrencies among their AML/CTF compliance staff, as well as among their financial intelligence units and investigative teams.

Training and ongoing educational opportunities on cryptocurrencies should be provided to key staff members, who will then be equipped to play a proactive role in managing risks in a thoughtful and truly risk-based manner.

Crypto-focused training can include developing staff understanding of:

·      relevant financial crime typologies;

·      available crypto-related products and services;

·      significant industry developments; and

·      the evolving regulatory landscape around cryptocurrencies.

 

#4 – Deploy Bespoke Controls

It’s important to avoid the temptation to treat cryptocurrency risks like any other financial crime risks.

Cryptocurrency risks warrant bespoke approaches.

When assessing the risks around customers or transactions involving cryptocurrencies, firms should measure risks considering the unique circumstances of the situation.

For example, if a pre-paid card customer is observed purchasing cryptocurrencies from an exchange, it may help to understand if that exchange has a sound reputation and is subject to regulation before deciding if the activity is acceptable or not. This requires having in place a carefully designed methodology for assessing the risk factors around cryptocurrency exchanges.

Developing an effective control framework can also include considering whether to utlise cryptocurrency forensic tools for monitoring customers’ crypto activity or for use in conducting complex investigations in support of SAR filings.

What’s important is that these controls are designed and deployed in a thoughtful manner, and tested to ensure they work effectively.

 


Summing Up

 

As regulators take a closer look at cryptocurrencies, firms must take the initiative and ensure they are managing the financial crime risks.

Whether you’re a cryptocurrency exchange, retail bank, FinTech or other financial institution, the time to begin building a robust crypto risk management framework is now.

At FINTRAIL, we’re equipped to assist your business in its cryptocurrency risk management journey. Whether it’s

·      designing bespoke risk assessment methodologies and conducting risk assessments;

·      defining risk appetite statements and measuring adherence to risk appetite;

·      developing and delivering financial crime training;

·      establishing and supporting financial crime committees and other governance arrangements;

·      designing new policies processes, tools and systems; or

·      establishing audit and assurance arrangements, and conducting tests of systems and controls

 

Our team of consultants is here to help.

 

[1] Europol, From Suspicion to Action: Converting financial intelligence into greater operational impact, 2017, p. 18.

[2] See http://www.fsb.org/wp-content/uploads/r_131118.pdf

[3] See JMLSG, chapters 7.29 – 7.41.

[4] See JMLSG, chapter 3.35.

[5] https://www.fca.org.uk/publication/correspondence/dear-ceo-letter-cryptoassets-financial-crime.pdf

Geopolitics & Cryptocurrency

Cryptocurrencies have been a controversial topic in the FinTech space and wider financial sector in recent years.  Despite a reputation for higher financial crime risk, their increased popularity makes them difficult to ignore and financial institutions are looking for compliant ways to engage.  With evidence to suggest that sanctioned governments are using cryptocurrencies, a robust and responsive risk approach is necessary.

Korean Cryptocurrency

The divisions between north and south are complex, but at first glance it would seem South Korea leads when it comes to the FinTech sector, and more specifically cryptocurrency trading.  Along with Japan, they are regional leaders and South Korea is home to some of the world’s largest crypto-exchanges, including Bithumb and Upbit, with a disproportionate volume of trade passing through its markets.

There has appeared in recent months to be the potential for a thawing of international relations for North Korea, which has been under UN sanctions since 2006, and US sanctions from as far back as 1950.  In recent weeks there have been renewed calls from Kim Jong Un’s regime for an end to US sanctions, following the North Korea-US summit in June, where Donald Trump suggested an agreement could be reached.  But with latest UN reports suggesting the Kim regime is continuing to build their nuclear military capability, a lifting of sanctions is unlikely to happen soon. This makes any North Korean involvement in the relatively borderless market of cryptocurrency trading a cause for concern.  

As sanctions persist, the decentralized, interconnected and potentially anonymous nature of cryptocurrencies offers a portal into the international economy.  It is a way to circumvent economic restrictions that hold the country in poverty, and to continue to fund the country’s nuclear programme which is estimated to cost 30% of the country’s GDP.  Despite the hardship of ordinary people, Kim is himself worth an estimated $5 billion. An unsurprising fact, as North Korea is among the most corrupt in the world, currently 171 out of 180.  Much of Kim’s wealth is rumoured to be held overseas, making the illicit movement of funds a high priority and the under-regulated alternative of cryptotrading very attractive.  The difficulty of tracing the source of virtual funds, especially when trading involves private coins that anonymise the seller and buyer, is compounded when digital assets are exchanged for legal tender.  The dollars, euros or pounds can be entirely without trace of their suspicious origins.

The regime has also allegedly turned its hand to simple theft of cryptocurrencies.  Utilising established cyber capabilities, witnessed in such devastating international cyber attacks as 2017’s WannaCry ransomware attack, North Korea is the main suspect behind at least three successful hacking attempts of cryptocurrency exchanges within the past year. This includes the security breach of the Japanese exchange Coincheck in January, where an equivalent of $530 million worth of coins and tokens was stolen. It is uncertain how much of this reached North Korea, although some estimate the regime was in possession of $200 million worth of Bitcoin and other cryptocurrencies as of March 2018.

Russia’s Crypto Measures

Along with ongoing talk of a national Russian cryptocurrency, the CryptoRuble, that could potentially evade sanctions, another example of the growing interplay between state-sponsored financial crime and digital assets can be seen in Russia’s alleged meddling in the 2016 US election.  Last month, as part of the ongoing Special Investigation led by Robert Mueller into Russian active measures to influence the outcome of the election, 12 Russian nationals were indicted for hacking email accounts affiliated with Hillary Clinton, using cryptocurrencies in an attempt to cover their tracks.  

The perceived anonymity of cryptocurrencies made them the means of choice for facilitating this cross-border criminality.  However, in this case, they were in fact the means by which the criminals were identified. In the indictment, conspirators were identified using the same pool of bitcoin funds to purchase infrastructure that was used for the hacking, such as a virtual private network (VPN).  They also raised funds through bitcoin mining.

It also detailed how they obscured the origin of bitcoin they received:

‘this included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.  They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.’

As the indictment shows, attention to the mechanisms of virtual currency trading is increasingly relevant to the crime itself.  They laundered ‘the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies’.  The growing awareness and recognition of the intricacies of the cryptomarket by authorities, means the same will be expected of financial institutions. It was noted the 12 Russians used a mix of currencies including US dollars so the border between fiat and cryptocurrencies needs to be understood as an institution that believes itself to deal only in one or the other, is likely exposed to both.

Practical Steps for FinTechs

With over 1500 cryptocurrencies currently in circulation, a first step for a FinTech engaging with cryptocurrencies is to be aware of the relative risk of different cryptocurrencies, with the highest risk being private coins and of course coins created by sanctioned entities, such as Petro coin by Venezuela.

Weak KYC and verification processes on signing up for an account with a crypto-exchange is an important factor.   Weak KYC can be deliberately aimed at encouraging wider adoption, with minimal identification required, often with an ideological basis of preserving the anonymised freedom of the virtual realm.

Geography is central to assessing financial crime risk.  While the majority of exchanges have some restrictions in place for the jurisdictions they serve, usually in line with international sanctions, others such as Russian crypto-exchange Simex will allow a North Korean citizen to sign up for an account.

Regulatory status of a crypto-exchange is a particularly fast evolving risk factor.  There is a global move towards both self-regulatory organisations and the establishment of regulatory authorities.  However it is evident that exchanges with lower levels of regulation often have more users and more coins on offer. A lack of oversight that makes these platforms more vulnerable to financial crimes like money laundering, terrorist financing and yes, sanctions evasion.

Conclusion

While cryptocurrency trading continues to shift and adapt to geopolitical trends, FinTechs are excellently placed to respond to changes as they emerge. A comprehensive understanding of the unique financial crime risks surrounding cryptocurrencies and how this is situated in its political landscape will allow firms to assess both the individual customer and their virtual funds in their full context.  Cryptocurrency trading is one weapon in the cyber arsenal of hostile states such as North Korea and this dimension of risk from sanctioned entities should be included by any FinTech looking to deal with crypto funds. As seen in the case of Russian active measures, proper controls can go far in tracing criminal use of cryptocurrencies, and - with the accuracy and permanence of digital transaction data - perhaps even more so than traditional currencies.

5AMLD - What To Look Out For

Just over a month ago, the final text of the Fifth Anti-Money Laundering Directive (5AMLD) was published, kicking off the 18-month countdown until it comes into play. Its precise, full impact is unknown for now, but it is expected to significantly impact the way governments, regulators and businesses in Europe have to approach financial crime risk.

What’s the rush?

This new directive followed the former surprisingly quickly in large part due to the rising popularity of digital currencies combined with the hysteria following the Panama Papers. Given it’s only been 2 years since the last AMLD was adopted (some countries are still trying to implement it), compared to the 12-year gap between the previous AMLDs, it is clear the European Commission is focused on reassuring people and businesses that they are on top of new and developing issues.

What does 5AMLD actually change?

The key change from the 4AMLD comes in the definition of “obliged entities”, increasing its scope to include virtual currencies, anonymous prepaid cards and other digital currencies. Previously, there have been no specific laws aimed to cope with the risks of virtual currencies and it’s clear that with this new directive, the European Commission is intent on making sure that virtual currencies do not become a safe space for criminality. It also shows clear signs of their move to increase the scope of the fight against money laundering (ML) and terrorist financing (TF), as criminals can take advantage of the anonymity of virtual and digital currencies.

The other key aspect of the 5AMLD is that it further clarifies the requirements and timings for the implementation of the required beneficial ownership registers introduced in the 4AMLD. Essentially, member states and the European Commission will be required to keep accurate and up to date registers that must be interconnected to the European central platform. This integration will allow for more efficient information sharing, making it easier to combat ML and TF.

Other features include the adjustments made to address Politically Exposed Persons (PEPs), expanding the definition and pledging to publish a combined list of EU and Member states’ lists of all prominent public functions. Traditionally, a “one size fits all” and “once a PEP, always a PEP” approach has been used, but this system is not adequately risk-based. The new regulations hope to address this issue by integrating a more nuanced and comprehensive approach to identifying and managing the financial crime risked linked to PEPs.

There is also set to be enhanced co-operation and information sharing among EU Financial Intelligence Units (FIUs) in the hope that this will make information more easily accessible and align with international best practices. FIUs across the EU receive broader powers under the 5AMLD as they will no longer need be limited to the identification of a predicate offence or suspicious activity report prior to filing an information request.

So, how to prepare?

With this new directive being introduced, here are a few things firms may want to consider in preparation:

1)    Virtual Currencies – 5AMLD will require obliged entities, i.e. providers engaged in exchange services between virtual and fiat currencies, to be registered and to comply with AML and CFT requirements. National authorities will be authorized to obtain all the associated information and regulate them accordingly. Exchanges that fall under the definition of an obliged entity will need to start benchmarking their existing frameworks against existing EU and jurisdiction specific AML & CTF controls and making any appropriate enhancements.

2)    PEP Categorisation – With changes being made to PEPs, firms may want to start thinking about how they categorise PEPs and how they apply different levels of monitoring such that when the new categorisation criteria come in, they are prepared

3)    Increased Reporting – Under new business ownership discrepancy rules, firms will be obliged to report discrepancies they find between the beneficial ownership information available in the central registers and their own registers. In the case of reported discrepancies, Member States will be obliged to ensure that appropriate actions be taken to resolve the discrepancies in a timely manner.

4)    Due Diligence Advances – 5AMLD will require a specific Enhanced Due Diligence list to be applied when dealing with high-risk countries defined by the European Commission. You should review and update your due diligence processes to ensure full compliance.

If you need any help scoping enhancements for implementation or indeed reviewing whether your current procedures meet the requirements of EU or jurisdiction specific requirements, FINTRAIL will be happy to offer assistance.

UK Suspicious Activity Reports (SAR) - Balancing Customer Experience in a FinTech

Suspicious Activity Reports (SARs) are familiar to many of us as the mechanism used by obliged entities to report suspicion of money laundering or terrorist financing to relevant authorities. However, the SAR process can cause some challenges for early stage FinTechs who are trying to balance regulatory requirements with transparent and customer centric service. It is something we get a lot of questions about, so we thought we would outline some hints and tips on things to think about.

In the asymmetrical game of whack-a-mole that is the fight against financial crime, SAR’s are a useful but sometimes imperfect tool for generating intelligence about financial criminals. Notifying the appropriate financial crime enforcement unit such as the National Crime Agency (NCA) when a Defence Against Money Laundering SAR (DAML) is required is not only the right thing to do but also usually a regulatory and legal requirement. DAML SARs, as the name implies, are reports that describe the most important facets of activity that could be regarded as suspicious and indicative of money laundering.  Their regulatory purpose can’t be understated, as they act a conduit between the events themselves, the handling of the questionable funds, and possible investigation by law enforcement.

However, the nature of SARs and the context they operate in can be challenging. This is especially true for companies and especially start-ups in the FinTech sector who are seeking to meet their regulatory and legal requirements while also providing a great customer experience. FinTechs are operating in an interesting era, where customer feedback on social media and review sites such as TrustPilot have tangible impact on the success of a product or service. They also provide a challenge to financial crime teams and those responsible for public relations (which we discuss below).

We aren’t going to dive deep in to the overall requirements of the SAR regime in this blog, we would be here for some time! Instead, we will focus on a few practical tips for FinTechs to consider when balancing customer experience and their regulatory and legal requirements. Wider SAR guidance is available from the likes of the NCA and the team at FINTRAIL are always available to offer advice.

1.    It will happen

The first thing we stress to our customers who form part of the reporting regime is that, at some stage, you will to have to deal with a customer and the SAR process. You are better developing a simple internal process before it happens. Think about what your team needs to do when dealing with a customer subject to an investigation before you have the additional pressure of them asking for answers. Equally, ensuring you have clear customer off-boarding/exit process will also ensure this is done in a timely and fair way. Once you have a process established, ensure your team is well trained and understands the risks and challenges associated with customer investigations.

2.    Don’t Panic

The language around SARs and things like “tipping-off” can be intimidating, especially when you see terms like criminal offence. Don’t panic about this. By doing step 1 first you will be able to make sure you meet your obligations. No one is perfect, and mistakes sometimes get made, just make sure to learn from those opportunities.

3.    Have a strategy for customer engagement

It’s well known - particularly in the FinTech community, where customer interaction is vital, immediate and direct - that some of those who engage in financial crime are wily and tenacious. They can be hostile in their communications once transactions are blocked, or accounts are suspended pending investigation or the submission of a SAR. Those who must deal with them are presented an unenviable operational challenge: they cannot give anything away that would make the criminal suspect they are the subject of investigation/SAR (“tipping off”), but nor can they lie and treat the customer unfairly.

Each instance is different, but there are some suggestions that are practical for most encounters:

  • Don’t ignore customers, as positive engagement is a better strategy than ignoring them. Be polite, professional and responsive but have a clear line and stick with it.

  • Proactively provide your customer ops or support teams with standard lines or approaches to take in response to customer enquiries. Make sure they have training on these approaches and they are broadly consistent.

  • Trust in your policies and processes, they are there for a reason. However, if you find something has gone wrong make sure you capture the reasons and put it right.

  • Do not be swayed by threats. This is a tactic we have seen used on several occasions to try and force a response from the obliged entity and put those people dealing with them under increased pressure.

  • As an organisation, you should have a zero-tolerance policy to harassment or intimidation and if this occurs you should immediately involve your local law enforcement.

  • Just because they are subject to a SAR doesn’t mean their rights as a customer are suspended. Refer them to relevant departments, such as complaints, in the appropriate circumstances.

  • Sometimes it’ll be necessary to move the case up the chain to someone on the team with greater authority or more knowledge of the situation. Knowing when to do this, and when not to, is important.

  • Be responsive on social media and to customer reviews. The compliance/financial crime and PR/social media teams can collaborate to standardise responses to negative feedback from customers on the back of investigation or exit process, without the risk of tipping-off.

  • However, do not get dragged in to drawn-out back-and-forth with customers on social media. Provide a clear, well-judged and visible response but do not allow them to bait you.

4.    Write clear and accurate SARs/DAML SARs

In the UK especially, the NCA receives hundreds of DAML requests every day and thousands of SARs. To help law enforcement process those requests as efficiently as possible and therefor provide you with the response you may be requesting, it is important to ensure you follow guidance and provide complete, well written and concise SARs. Equally, make sure you follow relevant guidance on when and when not to file a SAR or DAML SAR to avoid over filing and creating unwarranted operational challenges.

 

Without a doubt, SARs perform a valuable function, and they have proven their worth countless times by helping to start and inform investigations into criminal activity. However, the SAR process can cause operational and customer challenges that if considered before they happen, can be managed efficiently while still maximising a great customer experience.

GDPR Principles: Vetting Data Processors In A Digital World

GDPR no longer needs any introduction, and here at FINTRAIL, we loved collaborating with the team at Jumio to help them launch their GDPR e-booklet, which you can download here.  

Together, we came up with 5 key principles that we think best help data controllers understand the activity of their online identity verification providers, and whether or not they’re fully GDPR compliant. Data processors in this space handle vast amounts of sensitive, personal data that, while integral to ensuring customers are who they say they are, can also be exploited or mishandled.  As such, GDPR compliant practices are key.

In brief, these are the main questions that controllers can ask of their processors which will help frame their thinking on this important aspect of compliance:

  1. Human Review: How are verification decisions made and what recourse do data subjects have to challenge those decisions?

    • GDPR gives individuals the right not to have significant decisions made about them solely on the basis of automated processing.

  2. Compliant Machine Learning: Does the data processor employ Compliant Machine Learning?

    • Under GDPR, vendors can only develop specific AI models trained on the data of a given customer and cannot leverage data from other customers to create more comprehensive models.

  3. Data Retention: Can data retention policies be tailored to your business requirements?

    • Clear processes around data retention and deletion help processors and controllers deal with the stipulations around Subject Access Requests.

  4. Data Breach Notifications: Do you have a data breach notification process in place and has it been tested?

    • Processors, as well as controllers need to be able to inform relevant parties of any data breach in a timely fashion; having clear and verified processes around this is one step in the right direction.

  5. Data Encryption: Is personal data encrypted and protected appropriately?

    • Proper data protection and encryption reduces the likelihood of a breach and increases the privacy of citizens’ information. GDPR stipulates that personal data is properly protected.

You can read more detail in the e-booklet of course, and find out even more information about GDPR, its implications for processors, how best to approach these questions, and exactly how Jumio is helping controllers maintain and manage their GDPR compliance through its innovative identity verification solutions and careful approach to data privacy.

Cryptocurrencies and UK FinTechs: Perspectives and Experiences of Financial Crime

The UK FinTech FinCrime Exchange (FFE) has just launched its latest white paper on FinTech perspectives and experiences on the nexus of cryptocurrencies and financial crime.

Cryptocurrencies experienced a meteoric rise in both value and popularity at the end of 2017.

While the value of popular cryptocurrencies such as Bitcoin has declined, interest has remained. International governments have been slow to regulate the emerging market, and many in the traditional financial services sector and wider public have expressed concerns related to the ability of cryptocurrencies to facilitate financial crime.
This paper answers the following questions: how does the UK FinTech sector perceive the risks associated with cryptocurrencies, and how are they managing the challenges related to this new disruptive technology?

Our research suggests that while some UK FinTechs have considered engaging more with cryptocurrencies, perceived financial crime concerns, the need for meaningful AML/CTF controls and the lack of regulatory clarity have fostered an attitude of caution.

We found that perceptions of financial crime risk associated with cryptocurrencies differed from actual experiences of FFE members.   These perceptions had a disproportionate impact on how Fintechs chose to engage with cryptocurrencies, limiting their appetite for extending their exposure, and for some, that of their banking partners.

The paper recommends that FinTechs not be deterred by the challenges associated with cryptocurrencies, as financial crime concerns can be managed through tailored, risk-based anti-financial crime tools, and a solid understanding of any areas of concern through a detailed risk assessment process. Regulators as well as law enforcement actors should collaborate more with FinTechs in order to improve the broader understanding around cryptocurrencies, financial crime and new regulatory developments.

More detailed findings are presented in the white paper.

For more information on the FFE or on cryptocurrencies and financial crime, please contact the FFE Admin.

FFE Expansion - Holland

FINTRAIL and RUSI, in partnership with Holland FinTech and bunq, are pleased to announce the launch of the Dutch FinTech FinCrime Exchange (FFE NL)!

The FFE NL is a local network connecting the Dutch fintechs to enable sharing of information and typologies, to help strengthen the sector’s ability to detect and counter the global threat of financial crime. The launch of the FFE NL also marks the FFE’s first step toward global expansion and the development of an international, interconnected network for financial crime information sharing.

The initiative leverages on the success of the FinTech FinCrime Exchange (FFE) UK and builds on its best practices, while also connecting local actors.  The FFE UK is a member organisation of over 45 of the UK’s leading FinTechs, who share information and financial crime typologies and controls. The FFE network produces white papers to exchange best practice on financial crime risk and compliance mechanisms, and share experiences and inform relevant stakeholders in law enforcement, government and regulatory bodies.

The global scope of financial crime and the shared threats faced by all major FinTech hubs particularly underscore the need for the FFE NL, which will give its members not only a trusted place to exchange information, but also access to an increasingly far-reaching network of resources and perspectives.

The first FFE NL meeting will be held on 30 May in Amsterdam, designed to align with the ACAMS 14th Annual AML & Financial Crime Conference Europe.

The FFE network is currently free for members.  For more information on FFE NL or to register interest in membership, please contact ffe_admin@fintrail.co.uk

The FFE was founded in January 2017 by FINTRAIL, a financial crime risk management consultancy, and the Centre for Financial Crime and Security Studies at the Royal United Services Institute (RUSI). 

Investment Due Diligence: Leave No Stone Unturned

Due diligence - a term bandied about readily with much confidence across many different sectors - broadly accepted as a process that underpins a thorough and confident appraisal of a specific business proposition, perhaps a significant merger, acquisition or other investment. At its most effective, due diligence arms a business with the facts it needs to make confident, astute decisions. At its worst, poor due diligence muddies already murky waters and potentially guides businesses down the wrong path.

To avoid the latter outcome, it’s best to avoid an off the shelf, one-size-fits-all process and instead adopt a bespoke approach that accounts for all inherent risks associated with a particular proposition.

Venture capital (VC) investment in FinTech - a booming industry - is a case in point. VCs have to understand complex business models and cutting-edge technology to pinpoint viable investment opportunities. Armed with millions, or indeed billions - $1.8billion was raised by UK FinTechs in 2017 - and facing fierce competition from other VCs, the panoply of risks presented by startup FinTechs could appear daunting.

VCs will often feel most comfortable assessing the viability of the business model, legal and financial aspects and will engage experts to evaluate the technology. That makes perfect sense. The success of a FinTech largely hinges on a successful combination of those areas and, more often than not, those are the risks most familiar to VCs. However, other stones sometimes remain unturned..

People risk is often overlooked or considered addressed through a simple criminal background check. With the wealth of information sources now available it’s perhaps remiss not to take a closer look at those who you’re investing in. Start-up scams are not uncommon in Silicon Valley; an early 2017 Fortune article explored the sector’s “unethical underside”. Are the founders who they say they are? How accurate are CVs and other stated accomplishments - the CEO of Wkriot pleaded guilty to fraud last month. Have failed attempts to fund other start-ups been disclosed, what about other initiatives that crashed spectacularly? Are other business interests in play that conflict with those of the VC? Many a business leader and politician have fallen foul of skeletons discovered in cupboards they’d long since forgotten about.

How about the culture of the firm? Is there evidence of unethical practices in the founders’ previous businesses? What does social media tell us? The merest hint of unethical behaviour could have a huge impact on culture of the firm, which in turn could lead to corners being cut, regulations not properly adhered to and risk decisions ignored or taken well outside of risk appetite.

Thorough due diligence of a FinTech couldn’t be considered complete without a close look at how its offer might be exposed to financial crime risk. The fledgling nature of the firm will mean a full risk assessment isn’t possible, but early inspection of the proposal will allow for an early judgement to be made on the type of controls and framework needed to deliver a compliant and secure product.

An effective due diligence exercise should alert a VC or other investment firm to concerns in any of these areas. However, if risks go unflagged through neglectful or absent due diligence they hold the potential to manifest further down the line with grave consequences for the VC and other stakeholders.

FINTRAIL would be delighted to discuss structuring a bespoke due diligence process for any aspect of prospective investments. Our team have deep experience in conducting due diligence for global banks, investors and government agencies and have a wealth of cutting edge tools at our disposal.

A Step in the Right Direction Toward Mitigating Cryptocurrency Risks

It’s a truth universally acknowledged that cryptocurrencies have the power to create a more dynamic, mobile and accessible financial ecosystem, and the enormous potential of the underpinning distributed ledger technology (DLT) for application outside the financial sector is nowhere near being realised.

But as with most great strides in innovation, there are concerns and risks to address, understand and mitigate as early as possible. FINTRAIL has a keen interest in this fast-paced arena and is working with the UK FinTech FinCrime Exchange (FFE) to publish a white paper later this month exploring FinTech perspectives on and experiences of cryptocurrencies.

In the meantime, UK MPs are launching an inquiry into cryptocurrencies, including exploring the financial crime risks related to cryptocurrencies.

A government review of the need for cryptocurrency regulation is no surprise. The explosion of growth in the sector continues unabated. The German and French governments  have called for greater regulatory coordination ahead of November’s G20 meeting. And the US Securities and Exchange Commission (SEC) has described cryptocurrency as an “across the border priority.” The UK inquiry also coincides with news that seven of the UK’s largest crypto companies have formed a self-regulatory body, CryptoUK, with the intention of promoting best practice and working with the government and regulators.

The Treasury Committee will no doubt consider the late-2017 revision of the EU 4th Anti-Money Laundering Directive (4AMLD), known as 5AMLD that delivers a definition of “virtual currencies,” which include cryptocurrencies, for all member states to adopt in AML legislation.[1]

In addition to the definition, the 5AMLD aims to mitigate risks associated with the use of virtual currencies for terrorist financing. To do so, the 5AMLD extended the scope of “obliged entities”, which previously included financial institutions, accountants, lawyers, estate agents etc., to include cryptocurrencies and other related services such as exchanges and custodial wallet providers. This is significant as it acknowledges that cryptocurrencies and their supporting services carry the risks of money laundering and terrorist financing and that KYC policies, EDD controls and transaction monitoring are required alongside the immediate submission of suspicious activity reports to law enforcement.

While adoption of the new rules into national legislation will take time the principles of the 5AMLD and the obvious appetite from EU member states, the US and the cryptocurrency sector itself to bring about a more coordinated regulatory position, will inevitably play an important role in the deliberations of the Treasury Committee.

Regardless of the outcome of the inquiry, government scrutiny of cryptocurrency at a time when uncertainty and volatility pervade the sector is an encouraging development.

As to the 5MLD, further work is needed to ensure legislation keeps up with the high-tempo cryptocurrency risk landscape; however, for the time being, EU acknowledgement that cryptocurrency carries financial crime risk is a much-needed starting block.

 

[1] Virtual currency is not synonymous with cryptocurrency. Virtual currencies are tradable digital representations of value that are not issued by any government and don't have status as legal tender. Virtual currencies can have a central administrator (as in the case of services like WebMoney, or game-based currencies like World of Warcraft Gold); or they can be decentralised cryptocurrencies, which use cryptography to validate and confirm transactions.

Unravelling the Complexity of Multi-Jurisdictional KYC

Scaling up is a natural part of any FinTech’s journey. This typically involves the exciting opportunity of offering your product or services in new jurisdictions overseas. However, this growth comes with significant regulatory and practical know your customer (‘KYC’) complexity that may expose you to regulatory risk.

Here are some factors to consider when adjusting your onboarding policies and procedures to support customers from new jurisdictions:

Onboarding Portal

You may think setting up in a new country just means copying and pasting your current onboarding portal into another language. Unfortunately, it’s not that simple. Some countries may have different legal entity types or have entity types that do not translate directly. There are also different types of identification numbers in some countries that are given to sole traders and businesses, so make sure to request the correct number. Be careful to ensure your initial KYC questions are clear in all languages on your websites and apps to prevent customer confusion.

Identification

UK Joint Money Laundering Steering Group (‘JMLSG’)  guidance recommends asking for an individual’s name, date of birth and address. But be aware, some countries require more information! In half of the countries we’ve looked at, national identification numbers, like social security numbers, were required. Place of birth and nationality were other common identification asks in other countries. This could require several operational changes, from rewriting some of your procedures, to redoing parts on your onboarding portal.

Verification of Companies

In the UK, many FinTechs will verify the identities of legal entities against Companies House. However, there is no registry for sole traders. In other countries, it is important to check if there is a register for sole traders that should be used for verifying identities as part of KYC, as around two-thirds of countries we’ve looked at had some searchable registry of sole traders. Furthermore, other countries’ corporate registries may not be as easy to navigate as Companies House--requiring you to purchase certain documents or existing as one of multiple company registries. Third party providers should be checked to ensure they are accessing data directly from your jurisdictions’ registries. Understanding verification options for companies and sole traders is important for simplifying your operations.

Documents

In the UK, a primary government-issued photo ID includes a passport, identity card, driving license, biometric residence permit or firearms license. However, in several countries, a drivers licence is not actually considered a primary form of photo ID for compliance purposes. For secondary documentation, while a document from a bank or utility provider may be acceptable in the UK, this is not always the case in other jurisdictions.

Beneficial Ownership

While the 4th MLD made it a requirement for countries to have a publicly-accessible beneficial ownership registry, this is still slowly being implemented in some countries. Of the EU/EEA countries we’ve checked, a UBO register was only available a little more than half of the time. Many countries outside of the EU have shown very little progress on the issue of a publicly-accessible registry of beneficial owners. Not being able to refer to a public registry of beneficial owners may add unforeseen operational costs and considerations that should be taken into account to ensure a smooth rollout.

Directors

JMLSG clearly outlines requirements for identifying a legal entity’s directors and senior management when commencing a business relationship. However, the vast majority of countries we’ve checked do not have explicit policies around the identification of directors. Some may include directors in their definition of beneficial owners, however. This ambiguity could lead you to having to rethink your AML/CTF standard operating procedure on who to identify.

Certification

When information is not easily available to verify through eKYC or checks against a registry, you may need to request certified documentation. Be sure to know the professional bodies of accountants and solicitors in each jurisdiction you operate in order to check the status of whomever has certified your customer’s documents. This will help you avoid any operational hiccups down the line.

Expanding your business into new countries or regions is really exciting, but is not a simple or risk-free process. The amount of nuance and complexity involved in each jurisdiction highlights the need for assessing the financial crime and compliance risks posed in each jurisdiction where you plan to operate. Not only is it important to check for regulatory differences that may create operational challenges in different countries, but also to check areas for higher corruption, identity fraud, money laundering and terrorist financing risks in order to determine whether you need to rethink any parts of your KYC policy.

If you ever have any questions on or need any assistance with managing the financial crime regulatory landscape of a new country or jurisdiction, don’t hesitate to get in touch for more information.

ACAMS Certificate - AML for FinTechs

Today we are extremely excited to announce the launch of the brand new AML for FinTech certificate launched by ACAMS!

FINTRAIL have been working in partnership with ACAMS to bring this online training course to the FinTech community. The course has been designed for FinTechs by FinTechs to give delegates the knowledge and confidence to create and implement an Anti-Financial Crime plan for their organisation.

It covers:

  • Anti-Financial Crime (AFC) regulatory obligations that apply to FinTechs

  • The types of financial crime risks faced by FinTechs

  • Key components of a FinTech AFC control framework

  • Real-life case studies illustrating the risks and countermeasures applied

The first class starts on 21 February 2018 and will be run a number of times over the coming months. You can register to attend the certificate by visiting the ACAMS website via the button below.

Managing a Financial Crime or Regulatory Crisis

Dealing with a financial crime crisis - whether that be a backlog of suspicious reporting that has built up, facing de-risking by a partner or finding out that a sanctions process has been working ineffectively - can be an especially stressful time for clients, particularly if the issues could lead to regulatory intervention, potential losses or the restriction of banking or payments facilities.

This is not to mention the obvious and negative impacts that such a crisis can have on customer trust and the potential reputational impact; in many cases, it can be a matter of survival for the business and brand, where trust is hard won but so easily lost.

So, we wanted to share some insight on how our team approaches these tasks to help readers be better prepared and have a head-start if you find yourself in the position of crisis managing a response to financial crime issues.

  • Understand the nature of the problem. This sounds like an obvious place to start but it is absolutely critical to everything that follows. If you do not genuinely understand the root cause of the issue your are facing, it makes it very difficult to put in place a response that is effective and proportionate. So for example, if you are dealing with a significant up-tick in fraud or failings in AML or sanctions controls, you need to efficiently and effectively understand the nature of the problem so you can identify the core contributing factors and develop a proportionate response.

  • Develop a considered plan of action. Once you have identified the root cause/s of an issue, you need to ensure that you develop a response plan that is action focused and targeted on addressing those specific items as well as factoring in any linked or dependency tasks. For example, it is pointless implementing a new tool or process unless you train those involved in using the tool, otherwise you may just make things worse by increasing operational risk. It is worth bearing in mind that you must be able to demonstrate to your stakeholders that tangible action has been undertaken.  

  • Mobilise effectively. This covers not only how you engage the services of and mobilise external parties but also those internal stakeholders or your support network. This is a careful balancing-act against the needs of normal daily business. Depending on the nature of the issue, segregating resources to focus on the crisis can be most effective. Our view of mobilisation is making sure all those involved very clearly understand the issues at hand and are aligned to the common goal of solving the problem, and that those involved have the commensurate level of accountability and authorisation from senior management. This is no time for egoes or political wranglings.

  • Ensure transparency. We often get asked ‘what should we say to our bank partner’ or similar. Our advice is always the same and that is you should be transparent. In a crisis scenario, you are aiming to maintain the trust you have built with all your stakeholders and transparency and openness are key values underpinning trust. We can confidently tell you from experience that one of the fastest ways to make a difficult situation even worse is by developing an opaque strategy with your partners - when they find out, trust goes out of the window, making the situation far worse. Instead, communicating the issue, along with regular situation reports and plans for resolution will really help to continue the trust you’ve worked so hard to earn.

  • Accurate and effective communication. This needs to focus on the communication intra-team  but also the flow of information to wider internal and external stakeholders. In our view there is a big difference between communicating and communicating effectively. We define effective communication as ensuring the content is received, understood and a behaviour influenced, i.e. action is taken. Accuracy in communication and information is important in a crisis scenario and at times is an area that can suffer from the impact of stress. There are times when a 70% solution on time is going to be better than 90% that is late but accuracy becomes really important when you start to communicate with stakeholders, especially those externally. Accurate and simple communication (underpinned by high quality and accurate information) creates a sense of confidence that the situation is in-hand and under control.

  • Continuous Evaluation. Once you have expended effort developing a response to the issue or crisis and have started to execute, it is vital to constantly evaluate progress and impact. Has anything changed? If it has, what are you going to do about it, how and when? The re-evaluation should be ongoing but it is also a critical process once you get to a point you have achieved your objectives and exited the crisis management situation. A wash-up and/or de-brief is a vital activity as it captures lessons learned and facilitates organisational learning.

The FINTRAIL team has developed deep expertise supporting international banks, FinTech, payments and regulated sectors in response to financial crime or regulatory crisis scenarios, drawing on our capabilities across financial intelligence & investigations, compliance advisory, technology, legal and communications. Our multidisciplinary response team can mobilise rapidly in support of a client crisis, providing executive level guidance and peace-of-mind while also delivering operational impact, all backed up by a support network and follow-on technical capacity as required.

Tax Fraud And FinTech - What You Need To Know

Fintechs have been ahead of the curve in understanding certain criminal typologies thanks to the holistic and data centric approach they often take to tackling financial crime. However, there has been little focus on tax fraud as a criminal enterprise and how that may effect the Fintech community.

With the recent release of the Paradise Papers and Panama Papers, tax evasion and tax avoidance are back under public debate as governments and individuals ponder how best to ensure that everyone pays the taxes they owe. The data leaked by the Paradise and Panama Papers put into the spotlight the blurred lines between tax avoidance and tax evasion, which are often facilitated using the same complex mechanisms and can confuse our understanding of what is acceptable tax reduction and what is not. This has put international governments under pressure to address the growing consensus that tax avoidance and the exploitation of tax loopholes has gone too far.

For the Fintech sector, this means that in the near-to-medium future, our understanding of tax fraud and tax evasion could fundamentally shift. To stay ahead of the curve, we therefore have to ask ourselves: how does tax fraud affect Fintechs and what are our responsibilities in combatting it?

One of the major confusions around tax fraud, tax evasion and tax avoidance is the definitions used. So, here are some definitions to help us clarify the issue at hand:

Tax Avoidance: tax avoidance is reducing one’s tax burden within the letter of the law (but often not within the spirit of the law). Examples include tax deductions or establishing an offshore company or trust in a tax haven to reduce tax liability.

Tax Fraud: tax fraud, according to HMRC, is illegally avoiding paying taxes. It is made up of three components—tax evasion, criminal attacks and participation in the hidden economy.

Tax Evasion: tax evasion is one type of tax fraud concerning individuals or businesses who intentionally misreport information to reduce their tax liabilities.

In terms of regulation, tax fraud has never received the attention given to sexier crimes such as money laundering or terrorist financing. However, this is beginning to change. At the end of September 2017, the Criminal Finances Act came into force in the UK, which made companies more liable for failing to prevent tax evasion, including facilitating the evasion of UK taxes by international entities and facilitating the evasion of foreign taxes by UK entities. The best way for Fintech companies to avoid liability is through robust risk management and a strong compliance programme.

Not only are Fintechs more liable for tax fraud than before, but the problem of tax fraud is growing. The current gap between taxes owed and taxes due is £34 billion, half of which is due to tax fraud.

There are several ways that tax fraud can touch the Fintech sector, including:

  • Using Fintech products to collect bogus tax refunds or to facilitate tax fraud.

  • Using Fintech products to process funds derived from the hidden economy.

  • Using Fintech products to mask the origin of funds

So what can Fintechs do to protect themselves and reduce the negative social impact of tax fraud? Here are our recommendations:

1.     File SARs in a timely fashion. A quarter of all HMRC tax investigations are stimulated by SARs, so filing these properly is critical in the fight against tax fraud. You can also contact HMRC direct via the link here.

2.     Ensure robust onboarding and KYC policies to a) decrease the anonymity of the product and b) avoid liability in tax fraud cases.

3.     Impose reasonable transaction limits and limits on the number of accounts held in order to decrease the attractiveness of the product to tax fraudsters. Keep these limits under constant review based on changing typologies.

4.     Monitor relationships in an ongoing fashion and watch out for red flags such as

  • Suspiciously large transactions sent for ‘expenses’

  • Spending that does not reflect expected income

  • Unexplained payments into customer accounts from sources linked to work or employment

  • Multiple tax refunds coming into one account

  • Multiple transfers to financial institutions in high-risk tax jurisdictions

If you would like to discuss tax fraud further and learn about how FINTRAIL can help identify and combat tax fraud typologies, please do not hesitate to get in touch.

Casting A Light On Complex Networks To Disrupt Financial Crime

The global, connected web of financial criminality is difficult to unpick.  However, investigations over the past few years have shed light on the few, yet critically important bad apples amongst the network of financial institutions that enable this web to go un-checked. While many of these simply may lack the adequate controls to tackle money laundering or terrorist financing, other financial institutions have taken a much more direct role in criminal activity. The use of financial intelligence and investigation techniques present an opportunity for the regulated sectors to disrupt criminality at scale and efficiently. As such we are excited to announce the appointment of Nick Herrod as head of our Financial Intelligence and Investigations practice, who will help us drive solutions for clients that continue to deliver impact.

During a recent event hosted by Thomson Reuters, OCCRP Executive Director Paul Radu was asked how the international community should tackle the global and seemingly untouchable scourge of financial crime. His response was telling — go after the financial institutions, big or small, that facilitate the criminal activity. This is an interesting strategy to take, and targeting the institutions facilitating criminal activity presents an opportunity to disrupt criminality on a wholesale basis. The team at FINTRAIL decided to examine this subject in more detail, yielding some interesting results. Through our research we have found that one of the most significant red flags when it comes to these types of institutions (and counterparty risk) is the influence of high risk individuals/PEPs within the ownership structure. To better understand this, two public case studies are detailed below—the Global Laundromat and the BGFIBank Democratic Republic of Congo (DRC)/Hezbollah connection. It is evident that the links between financial institutions and owners more susceptible to criminal motivations can affect the robustness of an institution’s compliance regime and undermine industry efforts to counter financial crime. Taking an intelligence-led approach and exploiting a range of data sources allows us to highlight additional red flags and begin targeting the key nodes and facilitators of this volume criminal activity.

The Global (Russian) Laundromat: This laundromat, exposed by the OCCRP[1] three years ago, funnelled more than $20.8 billion from Russia into Europe. OCCRP reports show that it involved approximately 500 people, from oligarchs to FSB-affiliated individuals.

Igor Putin, cousin to current Russian President Vladimir Putin was a manager and executive board member for the Russian Land Bank (RZB), an institution whose accounts reportedly processed more than $9.7 billion, or nearly half of the total funds involved in the laundromat case. Funds were sent from RZB to Moldindconbank in Moldova, where they were then sent to Trasta Komercbanka in Latvia and from there to the rest of Europe. The OCCRP adds that Igor Putin was brought into RZB initially by Alexander Grigoriev, who allegedly has ties to the FSB and whom the Guardian identified as one of the main ringleaders of the Laundromat. Grigoriev headed the RZB during the laundromat’s operation until the time of his arrest. Putin and Grigoriev were also connected through other companies where Putin was a board member and Grigoriev a shareholder. Putin left the RZB board in 2014 contending he left after becoming aware of ‘the real situation.’[2]

BGFIBank DRC and Hezbollah: According to a recent Sentry report[3], BGFIBank DRC, run by the brother and sister of the president of the DRC, Joseph Kabila, reportedly allowed transactions from companies connected to a known financial contributor to Hezbollah: Kasim Tajideen. Tajideen, and his brothers Ali and Husayn, were subject to US sanctions, as were entities under their control. Despite this, and despite warnings from BGFIBank DRC employees, the financial ties between the bank and the sanctioned parties reportedly remained intact. Subsidiaries of Ovlas Trading, owned by Kassim Tajideen, would make transfers through BGFIBank DRC to subsidiaries of Congo Futur, managed by Kassim’s non-sanctioned brother, Ahmed Tajideen. Both Ovlas Trading and Congo Futur are under US sanctions, though Ahmed is not. Despite employee awareness of the risks involved, transactions from the sanctioned entities were allowed to continue, and BGFIBank DRC even went as far as to request the US Treasury unblock a transaction involving one of Tajideen’s companies and another bank. BGFIBank DRC had previously been alleged of diverting millions of dollars in public funds, further calling in to question the AML/CTF regime of BGFIBank DRC and the role the bank’s leadership played in the activity.

These two sample cases demonstrate how financial institution ownership from individuals more susceptible to criminal motivations can encourage complicity or active participation in criminal networks facilitating financial crime. In both, banks with ties to PEPs and high-risk individuals allowed significant cash flows to be laundered and used for criminal purposes. Though only two cases are discussed here, the findings still show how the use of financial crime intelligence and investigations can be utilised to go beyond the basic information generated by many static compliance controls, help better the understanding of evolving typologies and surface new opportunities to counter the capricious threat of financial crime.

At FINTRAIL we have seen an unprecedented level of interest in the financial intelligence and investigation capabilities we offer to our financial service clients, from start-ups to established firms. As such, Nick’s arrival to lead FINTRAIL’s Financial Intelligence and Investigations practice could not be more timely. Nick brings an exceptional pedigree to the experienced team at FINTRAIL after completing a range of public and private sector roles, culminating in his position as the Head of Global Intelligence Team within HSBC’s Financial Intelligence Unit where he was responsible for overseeing a significant portfolio of investigations that focused predominately on large, multi-jurisdictional networks facilitating illicit financial activity. Nick will continue to build on FINTRAIL’s strategy in this area, understanding the needs of our clients of all sizes and ensuring that we are delivering a suite of capabilities and solutions to help our clients mitigate the negative impacts of financial crime.

 

[1] https://www.occrp.org/en/laundromat/the-russian-laundromat-exposed/

[2] https://www.occrp.org/en/laundromat/the-russian-banks-and-putins-cousin/

[3] https://cdn.thesentry.org/wp-content/uploads/2016/09/TerroristsTreasury_TheSentry_October2017_final.pdf

Loss Of Freedom - Human Trafficking And Its Impact On FinTechs

Human trafficking has sadly become a widespread and global issue; from the woman forced into prostitution and kept locked up in a house, to the man working on a construction site, stripped of his documents and any salary taken from him. Every 30 seconds, the criminal industry of human trafficking makes more than $30,000; bringing in approximately $32 billion a year.

In the world of financial crime, human trafficking is a predicate offence (the criminal activity and the proceeds money laundering), the revenues of which may touch financial services as the profits are laundered. Financial services may also be used to facilitate these offences, providing the ability to pay subsistence for accommodation, book flights for a trafficked person and other activities traffickers rely on. As the awareness of human trafficking increases and pressure is applied to the criminals that make huge sums from the exploitation of others, the criminals may be forced to look at alternative financial arrangements or exploit new technologies to their advantage.

There are numerous behavioural patterns characterising the organised crime groups involved. Having analysed the most often occurring subtleties, it is evident that tools such as the Internet and other communication devices are utilised expansively. The most intimidating organised crime groups are mainly those capable of governing the entire course of trafficking, from the recruitment of victims to the reinvestment of the criminal proceeds.

Through our industry engagement, FINTRAIL has seen an increase in Fintechs’ awareness of the fight against human trafficking and subsequently, human trafficking was the subject of the October 2017 FinTech Financial Crime Exchange (FFE). Members presented case studies and industry experts provided insights on the changing nature of the threat and industry initiatives to tackle the problem. Many of the FFE members were able to give examples of cases where they had detected indicators of financial crime involving human trafficking or exploitation, demonstrating this is not only an issue that impacts large financial institutions but may also directly impact the Fintech industry. In fact, some of the features common to modern Fintech such as non-face-to-face onboarding and ease of account management/overview may make it potentially attractive to those involved in trafficking and exploitation. As a result, Fintechs are conducting enhanced Know Your Customer (KYC) checks and are scrutinizing onboarding documentation in an attempt to combat human trafficking.

The FFE session identified specific typologies that may be relevant in a Fintech environment and what mitigations and actions industry may be able to apply. Some basic example indicators or red flags are detailed below:

- Customers taking selfies or completing onboarding checks, appear to be under control of someone else. This may appear as someone in close proximity as the images are being taken or controlling what is done or said.

- A customer may not be in possession of their own legal documents and may add unreasonable delay while they get them from someone else.

- Recurring payments being made from one account to multiple accounts for wages at unreasonably low amounts.

- Multiple point-of-sale transactions at car rental agencies, airline ticket purchases and train ticket purchases with no subsequent spend in that destination.

- High expenditure payments at fast food outlets, supermarket outlets, clothing stores, drug stores etc.

The FFE and its members will continue to focus on human trafficking and its negative impact on society and implications for financial services. In addition, FINTRAIL will track the evolution of financial crime typologies associated with human trafficking in order to identify any shift by those criminals to target financial services as a tool to further their illicit and damaging behaviours.

If you would like to discuss human trafficking further, learn more about the FFE and how FINTRAIL can help your organisation identify and combat human trafficking get in touch.

Laundromats, FinTech and Financial crime – Know Your Customers!

On 17 October 2017 Thomson Reuters held the first in a series of events on Financial Crime. This event explored the recent investigations conducted by the team at the Organised Crime & Corruption Reporting Project (OCCRP) into the global laundromats. The brave and fascinating work by the team at OCCRP exposed the complex and globally connected money laundering networks that via a web of hundreds of companies and associated financial institutions have laundered over $20 billion.

Although the laundromats are money laundering on a huge and global scale, and it may seem like a problem only big financial institutions may have to deal with, OCCRP Executive Director Paul Radu stated that every laundromat case he’s worked on has involved myriad UK companies. This means the issue is right here on our UK doorstep.

Although money laundering through complex laundromats can seem like a victimless crime, they are in fact part of networks taking huge sums via corruption of national pensions, financing groups involved in serious organised crime like human trafficking, funding terrorist organisations, and destroying lives.

So what does this mean for the FinTech community? There is real excitement about the commercial opportunities for challengers in the business and commercial customer segments and this is very much true, but this segment also brings with it a very different set of financial crime risks that really need to be understood and factored in to an effective and proportionate financial crime risk management framework. When you consider the factors that may impact on financial crime risk, the customer type (i.e. complex corporate ownerships), geographies (i.e dealing with suppliers/customers across a range of geographies), product type (i.e. high value transactions or products) and channel (i.e. often in a FinTech this is non face-to-face), can all have a material impact on the potential risks a FinTech targeting this segment may face.

So what can FinTechs targeting these new and exciting customer segments do to assist in the fight against these laundromats, comply with applicable regulations and do their bit to reduce money laundering? We have provided a few helpful hints below:

- Ensure you have a financial crime risk assessment that accurately reflects your unique circumstances. All companies and products will have their own unique factors to be considered and may impact on your risk profile. In many cases, it is not only a regulatory requirement to have a risk assessment but it is also a hugely powerful tool to help you define and navigate your compliance and risk frameworks.

- Understand your customers. Just because you are targeting customers who may be registered in the UK or other equally regulated markets, it does not mean they may not get involved in illicit activity. This goes beyond basic identification of your customers to ensure you understand the nature of your customer’s business and how they intend to use your product/s. Without that knowledge, it becomes very difficult to monitor effectively and can/will cause negative customer experience in the long-term.

- Understand the typologies and red flags that you and your team should be looking for. By staying current on evolving typologies allows you to keep pace or even out-pace the criminals and reduces the long term negative impacts criminals may have on your business.

Paul Radu said at the event "it takes a network to fight a network" and although he was referring to an international network of the likes of law enforcement and financial institutions working together to tackle it, the growth of alternative financial services further diversifies the pool. The FinTech FinCrime Exchange (FFE) is one such network, where FinTechs come together to effectively collaborate and combat financial crime such as money laundering.

If you would like to discuss money laundering, or any of the topics raised in this post please don’t hesitate to contact the team at FINTRAIL.

Malta - Building Resilience To The De-Risking Agenda

On 14 November 2017 FINTRAIL in collaboration with the the Central Bank of Malta will be delivering a workshop to invited guests from 25 Maltese banks focused on "Building Resilience To The De-Risking Agenda".

In recent years, there has been a gradual decline of intra-bank relationships with many economies throughout the world experiencing a decline in correspondent-banking services. The de-risking agenda of banks providing correspondent banking services is of concern. Surveys, reports and studies from the World Bank, the IMF, the Financial Stability Board and other various research organisations indicate that this is a problem affecting a number of countries and numerous banks.

While there is much public debate about the strategic implications of and solutions to de-risking, there has been little in the way of advice at the practitioner level as to how bankers across the first and second line of defence can respond to this threat.

Leveraging FINTRAIL's unique expertise in correspondent banking and financial crime compliance, this interactive workshop provides key individuals with the knowledge and confidence required to confront the issue of de-risking, establish a robust risk-based approach to financial crime compliance and build trust across key stakeholders including regulators, foreign correspondents and customers.

Re-Establishing Trust - High Risk Industries and Banking

For the last nine months FINTRAIL has been working with the awesome team at the Antwerp World Diamond Centre (AWDC) who represent 1700 Antwerp based diamond traders, to address some of the challenges their members and industry as a whole are having with access to viable bank accounts. The issues they've been having are due to the perceived high financial crime risk within the diamond industry and the associated bank de-risking phenomenon.

The short video below highlights one of the exciting developments coming from our work with AWDC and is a great example of where Financial Technology (FinTech) and Regulatory Technology (RegTech) can combine to offer solutions to some really complex challenges for traditional and non-traditional financial services. Our focus has been on how we can re-affirm trust across all stakeholders and ensure there is a sustainable and commercially viable solution for all parties.