AI and FinTech: An intelligent choice or artificial hype?

The FFE and sponsor, the Regulatory DataCorp (RDC), have just released the FFE’s latest white paper on FinTechs’ use of Artificial Intelligence (AI).

In a survey of 18 members, the FFE found that 61% are currently either in the process of developing in house AI solutions or reviewing third party options for their fraud or AML programmes. 33% of surveyed FinTechs currently employ AI solutions developed in-house against 11% that use third party AI solutions.

Cost and data deficiencies, followed by human resources, were reported as the main barriers in implementing AI solutions by FinTechs. The lack of sufficient knowledge or understanding also appeared prominently as one of the top risks highlighted by respondents. 

FinTechs, who had managed to overcome the barriers and challenges, reported a number of benefits including better accuracy and fewer false positives, faster turnaround on onboarding and some improvements in fraud detection.

In the meantime, research and feedback from members suggests that the best approach to introducing AI tools appears to be to deploy them alongside traditional systems: monitor and audit both old and new tools until you are satisfied, and then you are able to rely on the new tool.

Clearly as outlined there are risks and challenges with AI, but anything that enhances the ability for the sector to combat financial crime should be explored for the overall positive benefits it will bring to the companies involved and the people it affects. As highlighted by the survey results, FinTechs are not only well placed but are actively seeking opportunities to integrate AI to enhance their AML framework.

Fintrail AI paper copy-01.png

CTF Strategies: Combating Common Terrorist Financing Misconceptions

At the end of last year, the US Department of Treasury released its National Terrorist Financing Risk Assessment. Despite the multiple attacks perpetrated by domestic extremists in 2018 - including the Pittsburgh synagogue shooting, Jeffersontown Kroger shooting and US mail bombing attempts in October alone - the assessment made no mention of domestic or far-right-wing extremism. 

Another misconception? When thinking of terrorism in Europe, we often break it down between far-right-wing and Islamist groups, when in actuality, according to the just published EU Terrorism Situation and Trend Report (TE-SAT), nearly two-thirds of all attempted or completed terrorist attacks were instigated by separatist groups. Without an understanding of the nature of terrorist financing, it becomes harder for financial institutions to know what to look for and to implement impactful counter-terrorist financing controls.

These examples only showcase some of the assumptions that can negatively affect our ability to prevent and detect funds travelling to terrorist groups. Based on our experience in the FinTech space, we’ve broken down a few more common terrorist financing misconceptions:  

Misconception 1: Terrorist financing exists in a silo.

Terrorist financing is most simply thought of as an activity pursued by someone with strong ideological affiliations to a terrorist group or cause. While this is certainly true in some cases, only thinking about direct and ideologically driven terrorist financing has the danger of concealing the wider nexus between terrorist financing and other types of financial crime. While the use of drug trafficking to fund terrorist activity has been well-recorded, other intersections between terrorist financing and criminal activity can be overlooked. For instance, one source of funding for the Charlie Hebdo attacks included fraudsters selling counterfeit goods. And yet terrorist financing goes beyond just the perpetrators of financial crime. Given that terrorist financing is about the destination of the funds, those seeking to purchase illegal goods, whether counterfeits, weapons or drugs, could also engage in terrorist financing unwittingly, being unaware of where the funds for their purchase end up. 

The terrorist financing network expands beyond the sale of illegal goods. A convicted ISIS fundraiser had tried to raise funds through financial aid fraud, and foreign terrorist fighters have been known to engage in bank and credit card fraud to help fund their movement. The mass enslavement of the Yazidi by ISIS is the most prominent example of how terrorist groups have used human trafficking to raise funds, though other groups such as Boko Haram and al-Shabaab have engaged in the practice as well. In addition to the direct sale of individuals, terrorist groups like ISIS have also been known to use online and social media advertising in the trafficking of persons or in ransoming them back to their families and have also been reported to engage in organ trafficking. 

To best combat terrorist financing, our approach to suspicious activity shouldn’t stop with our first instinct, as even cases of other types of financial crime may have links to terrorism, and individuals with links to criminal activity may be indirectly engaging in terrorist financing both wittingly and unwittingly. 

Misconception 2: We’re looking for donations from ideological sympathisers.

While donations are certainly an important and desirable revenue stream if you are a terrorist group, and recently active networks such as the Liberation Tigers of Tamil Eelam relied on complicated networks of genuine, coerced and unwitting donors to fund nearly their entire operations, these sorts of donations don’t actually represent that much of the entire terrorist financing picture at present. Interpol in 2018 reported that only 3% of all terrorist financing was generated through overseas donations. While the latest TE-SAT still underlines the threats related to international donations, and while groups are constantly evolving in their use of revenue streams, focusing too heavily on international donations could lead us to ignore more prominent revenue streams.

So where should we be looking instead? Sources of terrorist financing are numerous and will vary greatly between groups and actors, and so what your high risk indicators are will depend greatly on your product offering and location. Though entities such as charities are often considered as a part of CTF efforts, limited companies receive less attention, despite their evidence of their usage in terrorist financing schemes. An area that certainly warrants more attention is environmental crime, and Interpol’s data indicates that 38% of all terrorist financing is generated through activities like illegal logging, wildlife trade, mining and fishing. Crafting more tailored monitoring rules for transactions with links to high-risk industries in high-risk jurisdictions for environmental crime and terrorism would help to detect this sort of activity.

Misconception 3: Geography is the most important factor.

During our work as anti-financial crime consultants, we have spoken to several Heads of Financial Crime who express frustration when a suspected terrorist financing case is risen to them primarily because of the customer’s nationality or geographic location, with no other specific evidence indicating that they may be linked to terrorism. Given the misconceptions we’ve already explored, there are serious dangers with jumping to the conclusion of terrorist financing. Terrorist financing is already difficult to spot, especially given that most recent attacks only require less than $10,000 in funds to complete. In fact, the 5 terrorist attacks that took place in the UK in 2017 in total cost just £5,000 to execute. Overly favouring geographic factors risks underestimating the presence of domestic terrorism. The intersections with other crime types and the more complicated channels where terrorist financing can manifest only add to the need to demonstrate a suspicion of terrorist financing more substantively.

What’s the risk though? While it’s important to be safe rather than sorry when it comes to terrorist financing, in reality, a too simplistic approach could lead to vulnerable individuals being de-risked. For example, individuals who do aim to donate to a terrorist cause tend to use the path of least resistance in moving the funds from their country of origin to the conflict zone. Unfortunately, these overlap heavily with channels used by genuine actors seeking to remit funds home or donate to overseas causes. Without additional evidence linking the customer to terrorism, you could end up unwittingly engaging in profiling in a way that is unfair to customers and inefficient in your anti-financial crime efforts. One positive step we’ve seen employed in the FinTech sector is a more holistic approach to customer risk, which takes into account a variety of evolving data points--from IP address to device ID to transaction patterns and speeds--which help paint a more nuanced picture of a customer, that isn’t overly reliant on nationality or country of residence. The best approach to identifying terrorist financing is one driven by a mix of customer data factors, suspicious transactional patterns and references and open source intelligence in order to pin down the nature of your suspicion. Even a quick Google or social media search can go a long way.

Final Takeaways

Ultimately we need to widen our understanding of the nuances and complexities of terrorist financing and challenge the industry to consider cases beyond the more stereotypical patterns. With that said, there are a few key takeaways that we should all consider when framing our approach to terrorist financing:

  1. Dynamic Approach to Terrorist Financing - Broaden your understanding of how terrorist financing may manifest, and see beyond just geographic red flags. We need more than that to form a suspicion of terrorist financing, and this approach doesn’t reflect the reality of the risks we currently face. Taking a dynamic approach to customer risk as it extends to terrorist financing risk is critical, and utilising open source intelligence can contribute to this.

  2. Data and Knowledge Sharing - Having a strong relationship with law enforcement not only will help when it comes to active cases, but can also help you learn about new and emerging typologies and gain actionable information that you can build into your transaction monitoring tools. Improved data and typology sharing not only through public-private partnerships, but also through private-private partnerships can help facilitate greater overall resilience against terrorist financing threats and help everyone stay on top of a landscape that is rapidly changing.

  3. Training and Awareness - CTF training, whether by internal or external parties, needs to be consistently evolving and reflective of the major trends we see in funding patterns and that you see in your day to day operations. Training should be coordinated by terrorist group or actor type, as all groups favour different financing structures, which change depending on their success and failures. CTF training isn’t just about procedure, but about the wider geopolitical context shaping terrorism at home and overseas.

FINTRAIL believes that all companies, should have the opportunity to thrive, free from the threat of financial crime and in doing so reduces the opportunities for exploitation of the most vulnerable.

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at

The Vulnerable: Targets and Tools of Financial Crime

What FinTechs can do to fight financial crime & exclusion

Lured by the opportunity for employment, housing and travel, a Latvian Organised Crime Group facilitated the movement of people from Latvia to the UK. For those hoping to create a better life for their families, these were immediately crushed as once they arrived in the UK, they were told they were "in debt" to the gang. The gang forced the victims to open bank accounts in their own names, then hand over their bank accounts and bank cards to the group before being sent to work in various locations across the UK. The gang retained control over their earnings and any refusal to cooperate was met with threats of violence and assault (1). Unfortunately this is not an isolated incident with a global figure of 40.3 million vulnerable individuals estimated to be victims of modern slavery (2).

In the UK, serious and organised crime is the most deadly national security threat (3). It affects more UK citizens, more than any other national security threat and leads to more deaths in the UK each year than all other national security threats combined. Organised crime groups sexually exploit children and ruthlessly target the most vulnerable, ruining lives and blighting communities. The predicate offences that drive financial crime often generate illicit funds off the back of the hopes and fears of desperate individuals. Crimes like the one highlighted cost us in the UK at least £37 billion each year (4). Criminals are able to reap the benefits of their crimes and to fund lavish lifestyles while their victims are left to suffer the consequences.

The rise of new technology and financial innovation, often leads criminals to seek creative ways to exploit evolving financial developments to their advantage. This makes FinTechs and their customers a particular focus for the criminals, a problem which is heightened further when one considers that two of the largest under-banked groups, the young and migrant communities, are at a higher risk of vulnerability.

What can we do?

One of the simplest ways to identify and understand a customers potential vulnerability is through ‘face-to-face’ interaction. This is much harder for FinTechs to do; most interactions involve online onboarding, with little dialogue apart from email and instant messaging between the client and a customer service representative. Indeed, much of this kind of interaction is increasingly automated, which is part of the inherent attraction of the sector.

The best time for FinTechs to identify and protect a vulnerable individual is during the onboarding process, through Identification and Verification (IDV). One of the most concerning situations we have come across through our involvement with the FinTech FinCrime Exchange (FFE) have been reports of FinTech client applicants providing IDV selfies or undergoing an onboarding interview online who appear to be in the presence or possibly even under the control of another individual. Instances such as these need to be taken very seriously, and simply rejecting the new customer is not enough. Where suspicious activity of any kind is in evidence, FinTechs have a clear moral responsibility to report it (5).

FINTRAIL believes that all companies, should have the opportunity to thrive, free from the threat of financial crime and in doing so reduces the opportunities for exploitation of the most vulnerable.

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at



(2) International Labour Organization and Walk Free Foundation - Global Estimates of Modern Slavery - 2017

(3) Home Office - Serious and Organised Crime Strategy- November 2018

(4) Home Office - Serious and Organised Crime Strategy- November 2018

(5) NCA - Guidance on reporting routes relating to vulnerable persons - November 2016

Why do you work in Financial Crime Compliance?

Payal Patel, who leads our new office in Asia, tells us why she works in Financial Crime Compliance and how she initially found her way into the field.

Payal combines her legal education and extensive compliance experience to build 'best-in-class' anti-financial crime programmes for clients and is focused on enabling innovative business whilst balancing risk and regulatory demands. She brings over 14 years of experience in financial services across multiple regions, focusing recently on FinTech and crypto. She has led engagements with regulators on new business models and has worked with a wide range of organisations globally on international best practices.

‘Why do you work in Financial Crime Compliance...isn’t it boring?’

I’ve lost count of the number of times I’ve been asked this question in some form.

Truth be told, I never intended on pursuing a career in Financial Crime Compliance. After completing my LLB and my legal training, it became very clear that my legal career wasn’t going to be like an episode of Suits, and I decided to follow many of my friends into the world of banking. During my undergraduate degree, we had talks from practically every bank selling us the pre global financial crisis dream of trading and earning pots of money. But I wasn’t sure that world was for me. I hadn’t heard of compliance until a recruiter called me about an entry level role that preferred people from a legal background. I was particularly intrigued as soon as she started talking about fighting financial crime. As a further plus. the team seemed nice, and the work was new, so I took the opportunity.

14 years later, and despite many opportunities to move into other areas, I’ve chosen to continue working in this space - and here’s why.

It impacts us all

People often forget the social impact of money laundering and terrorist financing - it costs us all. Serious crime, from drugs and cybercrime to people trafficking, has huge negative  impacts on society and the people affected, as well as costing the economy billions each year. The trickle down effect of this is that taxes need to be raised to compensate not only for the financial loss but also the additional resource required to police the activity going forward.  The price of consumer services increase as businesses seek to cover the costs associated with the higher taxes. Incidents of corruption, violent crimes and job losses go up and all of this can ultimately destabilise companies, industries and even developing nations. For the victims of crimes enabled by laundered money, the effects can be devastating and lifelong, including great personal and family loss. I see my role as preventing the criminal activity at a crucial point – where criminals seek to convert and clean their money by concealing it within the financial system, essentially allowing their crime to pay off.

Business enabling

Further, I strongly believe that compliance done right is business enabling. Throughout my career, I have actively sought to work in partnership with Business Heads to fully understand their business and the bespoke nature of the financial crime risk it introduces, seeking ways to illuminate this, and show how combatting it will give the business not only the stability it needs to grow, but how fighting financial crime actively builds trust among its customers. This collaborative approach has allowed me to creatively think of new and innovative ways to manage risk whilst also allowing me to be an integral part of the product / service roll out.

The cost of getting it wrong

From an organisation’s perspective the cost of getting compliance wrong can also be devastating, not only financially but also reputationally. Whilst the value add of a robust compliance programme cannot be tagged directly to sales or revenue, the fines imposed for failures can be massive, and licenses revoked or not granted at all.

As I now turn my focus to the world of FinTech, I am more passionate than ever about my role. As technology evolves, so does criminal activity. I want to make crime, corruption and terrorism harder for perpetrators. I want to protect the reputation of the organisations I work for and help them establish and maintain relationships with legitimate customers. This seems far from boring to me.

The Money Mule Trap

by Ishima Roman (Analyst, FINTRAIL)

In mid-February 2019, the UK House of Commons Treasury Select Committee heard from UK financial services providers about the problem of ‘money mules,’ reported to be on an upwards trajectory(1). The term ‘money mule’ is very familiar to financial crime risk professionals, denoting an individual used by criminals, knowingly or not, to transport illegal funds. The term is of course fraught with value judgements; being ‘mules’, they are perceived at best naive and unwitting accomplices, and at worst willing and able conspirators. However, as those giving evidence noted, ‘mules’ although enabling financial crime, can often be victims too.

Money mules can present challenges for FinTechs, especially those offering account based services and payments, because their customer base often draws on groups targeted to become mules: the young, immigrants, the economically precarious. This post explores the mechanics and consequences of money muling, and asks what can be done to mitigate the problem. In part, we believe that the answer is robust financial crime risk management; but FinTechs can also play an important educational role in preventing the vulnerable falling into the ‘mule’ trap.

What is ‘Money Muling’?

Europol, the European Union’s (EU) law enforcement agency, defines money mules as ‘people who, often without knowing it, have been recruited as money laundering intermediaries for criminals and criminal organisations(2).’ The term is sometimes used interchangeably with ‘smurfers,’ although this latter term more precisely refers to those who deposit many small batches of illicit funds to avoid a threshold of regulatory interest.

The process of money muling usually comprises:

  1. The recruitment of the mule by criminal sources;

  2. The mule receives funds into their account;

  3. The mule withdraws the funds; or

  4. The mule wires the funds to another account(s) at the direction or request of criminals. This often includes cross-border transactions.

  5. The mule receives a ‘commission’, either separately or as a cut of the funds sent to their account.

There are of course variations upon this modus operandi, and criminals have also been known to ask the mule to transfer electronically the funds to another account, without the withdrawal at stage (C). Like any money laundering typology, muling will evolve with the development of technology and institutional requirements.

Becoming a Money Mule

As noted above, criminals are often looking to target those who are in a financially vulnerable position, but can provide enough psychological ‘distance’ from criminality in the minds of financial services providers that they are less likely to generate interest. Criminals are known to use many avenues to attract or pressure individuals into money muling, but some of the most common include:

  • Speculative/vague job profiles or money-making ‘opportunities’, advertised online or in local or free papers. This can often be presented as lucrative ‘home working’ and increasingly as an opportunity in a FinTech itself, often using a meaningless job title such as ‘Financial Transactions Analyst(3)’;

  • Direct approaches over social media, such as Facebook and Instagram, and communications apps such as WhatsApp;

  • Direct approaches in person.

Criminals will often pose as reputable organisations, in order to convince the target that what they are doing or proposing is legitimate and legal. Some may present themselves as representatives of an overseas firm whose details are difficult to verify. Other criminal gangs use techniques such as impersonation and role-playing, presenting themselves as an authority figure, such as police officer, government official or soldier, seeking help in some awkward personal circumstance, often requiring the transfer of funds overseas.

money mules -01.png

How Money Muling Works(4)

Vulnerability to Muling

The unemployed and new immigrants from developing to developed countries have been major targets for muling operations for some time; financial desperation provides a motivation in both cases, and in the second, there is likely to be a lack of cultural understanding that criminals can exploit. However, there is an increasing trend in Europe towards the exploitation of young people and students, driven by their high levels of aspiration and low incomes, perceived naïveté, and accessibility online.  According to a report in April 2018 from CIFAS, the UK-based not-for-profit fraud prevention group, 2017 saw:

  • An 27% increase in the number of 14-24 year olds being used as money mules. Many of these young people were students, promised substantial payments for little effort.

  • An 11% rise in the number of accounts believed to have been used by money mules (32,000 plus in total)(5).

In the UK, young people are also increasingly becoming the targets of identity fraud, leading to the misuse of their accounts by money launderers. At the Treasury Select Committee hearing, representatives from Santander noted that the young were particularly vulnerable to having their accounts being used for muling without their knowledge because so many of them take a lax approach to data security; according to Santander’s research, 85% of 18- to 25-year-olds had shared financial information online(6).

The Consequences of Muling

The consequences of becoming a money mule can be harsh, even if the mules are not aware of the ultimate rationale behind the transfers. Regardless of their level of knowledge, they will have played a crucial role in a financial crime, and as such are liable to criminal charges in most developed jurisdictions. In the UK, for instance, muling can lead to a prison sentence of up to fourteen years; in June 2018, the UK group Financial Fraud Action reported on a case of a 26 year old man sentenced by a London court to a year in prison for two mule transactions that totalled at £28,000(7).

Even if criminal charges don’t arise, there is still the risk of long-term financial exclusion and limitations on career prospects. In April 2018, the BBC reported on the case of an anonymous teenage girl, ‘Holly’, who had been targeted by online mule recruiters, or ‘Fraud Boys’ as they are known, on Instagram and Snapchat, but had been caught out by bank staff when depositing a large amount of cash into her account. According to the report, Holly has struggled to get a bank account since, and has had to ask her employers for payment by cheque, which can only be cashed - at substantial cost - in payday loan shops(8).

The Risk to FinTechs

Money mules are a problem for all financial services providers,. Research by Europol and Eurojust in 2016 suggests that 90% of money-mule transactions were linked to cybercrime. This included phishing and malware attacks, but also online shopping/e-commerce fraud and payment card fraud, typologies experienced by certain types of FinTech products largely due to the nature of their customer base(9):

Young people and students are attracted to products designed specifically to appeal to their needs, many FinTech products are seeing significant traction amongst this demographic. Other groups such as new immigrants or those seeking access to financial services might also be attracted to using online services which do not require lengthy verbal interactions with in-branch bank staff and offer products that are designed to address the imbalance of financial exclusion.

Criminals are aware of these developments, and it’s possible that they will focus increasingly on the recruitment of FinTech customers, particularly as other routes, via traditional institutions are closed off for them.  This highlights the increasing need for close collaboration and joint working between financial institutions of all types to combat this type of crime.

Detecting Mules

The first consideration is awareness of the issue, and factoring it into your risk assessment and appetite. If your firm is focused on building a client base in the vulnerable demographics, then you need to make sure you explicitly recognise the risks and have the right controls to manage the nuances.

Every firm and product is different, and there is no generic approach to this, but it is worth recognising that it is difficult to identify all mules at onboarding, especially as some will onboard legitimately, being recruited as mule later (if you’re offering a product aimed directly at improving financial inclusion for example). This can be made harder if ‘at risk’ groups are part of your target customer segments. However, gaining a thorough understanding of the client during the Know-Your-Customer (KYC) phase and building that customer profiling in to a tuned customer risk assessment is a key to detecting problems later on. Because it is in the context of their expected behaviours that we judge what is unusual.

Unlike legacy banks, FinTechs are not going to catch mules out ‘in branch,’ as happened to ‘Holly’, mentioned above. Transactions take place online, so it’s important to have monitoring tools in place that can alert you to deviations in normal behaviour, along with an appropriately trained team to investigate those alerts and report them through a Suspicious Activity Report (SAR) if necessary.

Utilising available data to identify and robustly investigate ‘at-risk’ accounts is a key control activity. Mule accounts are sometimes maintained through linked life-style payments to add an air of legitimacy so investigating account connections and leveraging data points such as common addresses (and others) can be a powerful way to proactively identify accounts for further review.

Additionally, building a suitable greylist or using industry databases such as CIFAS (or others) can provide a mechanism of detecting suspicious profiles at onboarding. Research suggests that accounts used during the later phases of mule activity in a network are more likely to be used by criminals more than once, presenting an opportunity to detect them via robust data sharing and blacklisting.

Increase Education and Prevent Mules

Prevention is often better than a cure so an important additional approach is to think about how FinTechs can help prevent the problem in the first instance. Reducing the pool of potential mules is a more cost effective ‘up-stream’ solution than tackling the effects of their activities. It also provides an opportunity for anti-financial crime professional to add something back to the community with clear positive social impact.

FinTechs have a unique advantage in the way they interact with their customer base and can play an important role in educating particularly vulnerable clients - especially young people - through explicit guidance during onboarding and throughout the customer lifecycle. Companies can engage in and support anti-muling campaigns, such as the EU’s European Money Mule Action (EMMA) imitative, or the ‘Don’t be Fooled’ campaign by the UK groups CIFAS and Financial Fraud Action (FFA)(10).

The young are especially in need guidance on what is ‘normal’ in the financial space, and arguably all financial providers have a duty of care in this regard. It does not take much to deliver simple key messages that reduce the risk to themselves and their clients: there is no legitimate reason to allow someone else to move their money via your account, however convincing they might be. There a three simple pieces of guidance FinTechs can give to their customers:

  • If you get offered a job or income, research any potential employer

  • Don’t respond to adverts offering large sums of money, for minimal input

  • Don’t allow anyone to access your account or use you card/app

  • And if it sounds too good to be true - it is. Walk away or ignore them.

Get in Contact

If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at











Risk Assessment: Back to Basics

By Meredith Beeston (FINTRAIL Solutions) and Allison Spagnolo (FINTRAIL Solutions).

Adopting a risk-based approach is the foundation of best-in-class anti-financial crime practice. Your anti-financial crime (“AFC”) risk assessment should be one of the cornerstones of that practice.

While financial crime risk professionals are familiar with the AFC risk assessment, also known as the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) risk assessment in the U.S., it can be easy to underestimate its true value in the risk management framework. Risk assessments often feel like a chore or little more than a check-the-box exercise to please your regulator. The AFC risk assessment, however, is one of the most powerful tools you have to reduce your exposure to financial criminals and should be designed to grow and evolve to match any new vulnerabilities. A properly-executed AFC risk assessment will close gaps in your compliance program and identify the appropriate policies, procedures and controls that should be implemented to protect your firm and your customers. To help you design a risk assessment of your own, we’ve gone “back to basics” and drawn on our experience with FinTechs to unpack the fundamentals of a modern and effective risk assessment . This post will explore features common to all AFC risk assessments and offer practical advice about how to design one for your company.

What is an AFC Risk Assessment?

In most jurisdictions, AFC risk assessments are indeed a regulatory requirement. The U.S. Bank Secrecy Act (“BSA”), the EU’s 4th Anti-Money Laundering Directive (“4MLD”), and the Financial Action Task Force (“FATF”) all require periodic internal risk assessments. Consider, though, that this particular regulatory requirement can also be an opportunity to meaningfully guide your entire AFC framework and not just a task to complete to avoid regulatory displeasure.

AFC risk assessments also serve as:

  • A map of vulnerabilities: It is important to understand the ways in which a criminal might seek to misuse your product. It is much better to proactively identify and address potential vulnerabilities instead of discovering them as part of a “post-mortem.”

  • A resource plan. Once you know where your vulnerabilities lie, you can consider the controls you need to tackle them, giving you the opportunity to better strategize how to divide up your company’s finite resources. For instance, which RegTech products are most worth the investment? What skills do you need in your next AML analyst? The answers to these questions will be resolved in the risk assessment.

  • A development strategy. In the FinTech sector, growth and innovation are a daily feature of the business. Your AFC risk assessment can and should guide these efforts - helping you select which jurisdictions are best for expansion, which product features offer the most potential with the least risk, and which customer segments to market to next.

  • A dialogue. Much like your company itself, your AFC risk assessment has to evolve. It should change to reflect insights and feedback from your senior management, auditors, consultants, banking partners and regulators. Each risk assessment - and its results - offers an opportunity to dialogue with relevant stakeholders about the future of the AFC risk assessment, resourcing and compliance program.

How do I Create an AFC Risk Assessment?

At their core, AFC risk assessments can be summarized in one essential formula:


Let’s break down each of these factors in a bit more detail.

Inherent Risk

Inherent risks are the financial crime risks you face before you apply any of your existing (or if you’re just starting off, planned) AML controls. At a high level, your inherent risks generally fall into three categories:

  • Who your customers are

  • What geographies you serve

  • Your unique product and delivery features

Then, you will need to develop criteria or questions about the specific financial crime risks your company and customers are exposed to in each area. While it is important to initially consider the broad categories of financial crime risk (e.g., money laundering, terrorist financing, and fraud), you will likely want to generate more granular questions. For instance, if you offer a prepaid card targeting students, you will want to specifically address the risk of money mule activity occurring on your platform. In another example, if you offer a direct debit service, you will want to consider how vulnerable your product is to transaction laundering.

You should be able to analyze the data you gather across your company. While many FinTechs we deal with have a single office or product, over time, your approach to gathering data to establish inherent risk will need to evolve. For instance, for a FinTech with branches in Europe, the United States and Asia, instead of asking, “Are you aware of any high risk or medium-high risk-rated customers in a branch’s customer population?,”  the risk assessment should ask, “Provide the number of high-risk customers in each branch.”

Where appropriate and where the information is available, the risk assessment should also seek volumes (i.e. with respect to transaction data and SAR data). This will help to accurately reflect financial crime exposure.

Based on the responses in the inherent risk portion of the risk assessment, an inherent risk score is generated. It is typically along the “Low,” “Medium,” and “High” spectrum. There is no one-size-fits-all calculation of the inherent risk score, and some institutions will develop simple scoring while others will create complex weighting systems. The key is that your methodology is clearly explained and can be replicated when you update your risk assessment.

Control Effectiveness

Control effectiveness refers to the capacity of the specific processes and systems you have in place to mitigate each identified risk. As with inherent risk, granularity is important here. The control effectiveness portion of the risk assessment should be tailored, so that each relevant control is assessed against the corresponding risk, and impartial, so that controls are accurately represented in their effectiveness. For instance, if the control effectiveness topic is “Payment Alert Investigations” and the inherent risk is related to the processing of a sanctioned payment, you may want to consider: “Do the procedures covering alert handling address what documentation should be collected to support the investigation of sanctions screening payment alerts?”

As with inherent risk, you want to allow for as much impartiality as possible in assessing control effectiveness, and to rely on clear data when it is available (such as false positive rates, rates of false IDs that pass KYC, etc.).

It is important to have an understanding as to whether each control effectiveness topic has meaningfully addressed each inherent risk, both precisely and with a wider understanding of your overall control landscape. If you have multiple products or branches, you may want to be able to draw comparisons across your company. Like with inherent risk, there is no one way to measure control effectiveness; the key is that your methodology is clear, objective and justifiable.

Residual Risk

Residual risk is the risk that remains once all your controls are in place. In other words, it is what you are left with after identifying inherent risk and applying your mitigating control effectiveness. It is unlikely that residual risk will be “Low” across the board, but that is normal and expected. Your residual risk score will help shape the broader financial crime risk appetite of your business. Knowing this risk level gives you the opportunity to consider issues such as whether your company is comfortable with a “Medium” residual sanctions risk when expanding into certain jurisdictions.

Case Study

AFC risk assessments are designed to be complex and comprehensive, so it is not possible to provide an in-depth breakdown of an example here. However, even through the brief case study below, you can see why completing an AFC risk assessment provides a clear benefit to a FinTech:


A FinTech planning to offer individuals an app-based foreign exchange service, loaded through debit cards and bank transfers, decides to conduct an AFC risk assessment prior to going live with its pilot.

Risks and Vulnerabilities

The FinTech discovers a range of inherent risks to which it is exposed, with particularly alarming scores linked to potential sanctions evasion, attempted payments to sanctioned individuals or companies, financing acts of international terrorism through purported charitable donations, and money laundering connected to narcotics or human trafficking.

Managing Risks

The FinTech uses the inherent risk analysis to shape its controls in order to obtain an acceptable level of residual risk. The controls are designed to go beyond comprehensive monitoring and screening and robust KYC and adverse media checks. The company also limits the geographic scope of its product to non-sanctioned countries with lower levels of money laundering/terrorist financing risk, and designs its expansion plan so that geographic risk is added only incrementally. This increases confidence in the product, which allows it to be signed off by all relevant stakeholders.

Things to Remember

Here are a few key lessons to take away:

  1. AFC risk assessments are not “out of the box.” They should reflect the nature, size and scale of your business. If your business is just starting up, you can start with a simple risk assessment!

  2. AFC risk assessments should make sense. There is no need for over-complicating the questions or the scoring. You want to be able to communicate it easily across your company.

  3. AFC risk assessments evolve. While this is certainly true as it relates to your business growth, it is likewise true in relation to the evolving typologies that criminals try. If you learn about an emerging risk from a reliable source, consider adding it to your next risk assessment.

  4. AFC risk assessments do not result in perfect scores. You will never have zero risks. Rather, it is more important to be aware of the risk levels you do have and develop a comfortable risk appetite in response.

  5. AFC risk assessments are all about the details. Be sure the risk assessment is as useful to you as possible, keeping in mind all the ways it can add value beyond a simple regulatory requirement.

Help and Resources

If you have any other questions related to your AFC risk assessment or how to execute it, do not hesitate to reach out to FINTRAIL Solutions in the U.S. or FINTRAIL in the UK. If you are interested in further improving your risk assessment, here are a few key resources to consider:

  • The Wolfsberg FAQs on Risk Assessments: These Frequently Asked Questions are in-depth responses to common risk assessment inquiries. Remember, though, the risk assessment format and methodology that will work best for you will depend on your company’s unique characteristics (e.g., size, scale, and overall offering).

A Modern Curse - Fentanyl and FinCrime

Matthew Redhead (Senior Associate, FINTRAIL) & Krista Tongring (Managing Director, Guidepost)

Matthew Redhead is a financial crime risk and intelligence specialist, who has undertaken a range of senior operational, change management and leadership roles in financial services, consultancy and government. He works with FinTechs and challengers to build responsive and smart compliance frameworks that encourage innovation whilst minimising risk. 

Krista Tongring oversees a variety of compliance issues and investigations for clients including AML, trade compliance and anti-corruption matters. Previously, she had an accomplished career at the U.S. Department of Justice having most recently served as the Acting Section Chief at the Drug Enforcement Administration Office of Compliance. She led policy discussions and developed strategies to implement new and revised policies. She also worked to establish a more efficient policy review process. Ms. Tongring spent a significant portion of her career as a federal prosecutor where she investigated and prosecuted complex criminal matters, including racketeering, money laundering, abusive trust and other tax matters, international organized crime, criminal asset forfeiture, and violations of the Bank Secrecy Act.

As close partners of FINTRAIL Solutions are aware, we have been concerned about the impact of fentanyl - a powerful and highly addictive opioid used legally for the relief of extreme pain, but also produced and sold illegally - since early last year. The illegal use of the drug is at epidemic proportions in North America, and based on Canadian government warnings, we highlighted to clients and collaborators the potential financial crime risks that the burgeoning trade in the drug posed directly to FinTechs and their customers. 

As professionals in risk management, it is easy to look at issues like fentanyl and treat them as technical problems alone: risks to be identified and mitigate. However, the fentanyl epidemic highlights the underlying human tragedies that often drive the financial crime we seek to tackle. Overdoses of illegal fentanyl are reported to have killed the singers Prince and Tom Petty,[1] while the US Centers for Disease Control and Prevention (CDC) reported in December 2018 that fentanyl is now one of the main drugs involved in overdose deaths across the US.[2]

 This blog post is the first in a series which will look at the social causes and contexts of financial crime. The aim is to look at the problem in the round - its character, causes and impact - to help remind us why it is not only important to fight the financial crime the problem engenders, but also consider the reality for people who are caught up in these illegal trades - the mules, the users and the small time dealers, who, in truth, are victims too.


The Fentanyl Problem

Fentanyl is an opioid: a category of drug that suppresses feelings of pain in the brain, whilst also engendering states of relief and relaxation. In its legally manufactured form, it is usually prescribed for extreme, chronic pain, and is rated as being up to 100 times stronger than a sister opioid, morphine. Legitimate fentanyl is usually taken as a patch, lozenge or injection, but care has to be taken, as there is a very real risk of overdose and death.[3] Fentanyl can also be illegally sourced, either through the theft and diversion of legitimate supplies, or the purchase of synthetically produced illegal variations, usually coming as a white powder that can be ‘cooked’ and injected, snorted or ingested, either on its own, or in combination with other illegal drugs, especially cocaine and heroin.[4]

 Even in the legal variety of the drug is extremely dangerous, and is classified in the top category of most countries’ controlled substance schedules.[5] Indeed, the drug is so powerful that in August 2018 it was used in Nebraska to execute Carey Dean Moore by lethal injection,[6] and has allegedly been banned on some drug supplier websites on the darknet, according to a 2018 report by the UK paper The Guardian.[7]


The Market

 There is little doubt that the current epicentre of the fentanyl epidemic is North America. In the US, the drug has had a devastating effect; in a recently published report from December 2018, the US Centers for Disease Control and Prevention (CDC) stated that, as of 2016, fentanyl is now linked to 29 percent of all overdose deaths.[8] Overall, more US citizens were killed by all opioids - of which fentanyl is most prominent - than were killed by guns or car accidents.[9] This CDC chart of opioid related deaths in the US gives some indication of the dramatic rise of the problem, and fentanyl’s role within it.

Figure 1  - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC) [10]

Figure 1 - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC)[10]

In Canada, the problem is equally significant. In June 2018, the Canadian authorities reported that over 4,000 Canadians had died from opioid overdoses in 2017, a new record, of which 72% were fentanyl or pseudo-fentanyl analogs.[11] Outside of North America, there has also been a reported rise in deaths by fentanyl in Australia,[12] New Zealand[13] and the UK[14] over recent years, although rates do not yet appear to have reached US levels. The EU Monitoring Centre for Drugs and Drug Addiction states on its website that fentanyl is a more marginal problem in the EU, affecting primarily Estonia, Germany, Belgium and Austria. However, EU statistics show that opioids as a class are becoming a greater problem in Ireland, France, Italy and Portugal.[15]


The Mechanics of the US Trade

The DEA and Department of Homeland Security (DHS) believe that the primary source of the illicit versions of the drug is China - one of the most popular terms for a range of fentanyl analogs is in fact ‘China White.’ Laboratories run by Chinese organised crime gangs produce high volumes of fentanyl, which are then marketed to other transnational traffickers, including the Mexican cartels, who move the drugs into North America. Fentanyl flows across the Pacific to Canada and Mexico via mail order services and smuggling, where it is often mixed with other drugs, and then smuggled into the US via the north eastern and south eastern borders.[16] The drug often comes in a powdered form, or disguised as the tablet forms of legal pharmaceuticals, such as oxycodone and hydrocodone.[17] 

Fentanyl white paper_Map.png

The secondary source, and one of growing significance, is Mexico itself. In 2016, the DEA reported its suspicion that the Mexican cartels were ‘branching out’ into the production of fentanyl, using imported precursor chemicals from the US and China.[18] Over the last year this assessment has been confirmed by busts in Mexico, including one in December in the capital, that have revealed the existence of cartel-managed fentanyl labs.[19]

The mixture or ‘cutting’ of fentanyl with other drugs, such as cocaine or heroin, makes the combined hybrid drug even stronger and more addictive, and further help us understand why its market is so sustainable. First, selling fentanyl keeps the costs of the traffickers and pushers down, because a small amount, though dangerous and potentially toxic, is relatively easy to produce and ship, yet has extreme potency. Second, the potency of the drug, especially when combined with other narcotics, means that users become quickly and highly dependent, ensuring that the suppliers have a captive market. Some of the strongest markets for fentanyl are in US states that already have high rates of opioid addiction.  This is borne out by a DEA report indicating that many of the younger users of fentanyl turned to the drug once they could no longer obtain and/or afford illicit pharmaceutical opioids.[20]

The prospects of breaking this market in the short-term appear bleak. The problem has become so great that the US President, Donald Trump, has pressured his Chinese counterpart, Xi Jinping, to take action against the Asian end of the trade, most recently at the November/December 2018 G20 summit in Argentina. Although President Xi was supportive, it is likely to take some time before practical action occurs.[21] Moreover, recent Canadian requests to China for similar help have been less warmly met, largely because of ongoing disputes over the return of Chinese fugitives to Canada.[22] As long as the Canadian and Mexican gateways to the US remain open, the scourge of fentanyl in North America is likely to continue.


Fentanyl, FinCrime & FinTechs 

What role then for FinTechs?

 For the last five years, there has been media ‘hype’ about the roles that FinTech platforms might play in the purchase of illegal drugs. Payments providers have been put out of business because their platforms have allowed individuals to buy illegal items unimpeded. In 2013, for example, the US Department of Justice (DoJ) closed Liberty Reserve, a digital payment processor, for facilitating the sale of drugs and child pornography, while cryptocurrencies are of particular current concern. In June 2018 the US media reported a DoJ enforcement action named ‘Operation Dark Gold,’ to stop the darknet sales of drugs using Bitcoin and other cryptocurrencies. [23]

Our clients’ experience tends to be more prosaic than some of these more sensational media cases. As a recent FinTech FinCrime Exchange (FFE) survey of UK FinTechs demonstrated, most financial crime typologies experienced in the UK cryptocurrency sector were around varieties of customer fraud. Nonetheless, we still believe that FinTechs have a responsibility to take these issues seriously. There are potentially striking indicators that, in combination, should raise concern (see breakout box), and we would urge all FinTechs working in payments services, retail accounts, prepaid cards and crypto transmission and exchange providers to give them due attention in their financial crime investigations.

Fentanyl white paper_State count.png

●      Unusual Chinese transactions: Customers buying items from China, especially where this does not fit with the customer transaction profile or nature of businesses, along with multiple unconnected payments to a single individual in China;

●      Unusual health products: Firms offering apparently pharmaceutical or health products who demonstrate other unusual indicators such as those listed here;

●      High use of currency exchanges: Multiple payments from global currency and cryptocurrency exchanges, usually in small amounts; and

●      Tags and nicknames: Payments including nicknames such as Apache, China Girl and China Town, or precursor references such as NPP or ANPP.


For more details, contact FINTRAIL Solutions at


At the same time, the case of fentanyl drives home the need for FinTechs to take a longer term view too about the types of business they are doing. As regular readers of the FINTRAIL and FINTRAIL Solutions blogs will know, we recommend some basic prevention methods that include active risk assessment and defined risk appetite. We have found that its critical for FinTechs to take basic risk management seriously from the beginning - asking themselves questions about the vulnerabilities of their product and the risks that opens them up to. If you think your company is vulnerable, then take action. Get the basics right. Because it is in no one’s interest to facilitate the sale of a drug like fentanyl.


If you would like to know more about how FINTRAIL Solutions and how we can help you and our business better manage financial crime risks, please contact us at








[8], p.1


[10], p.4






[16], p.70


[18], p.65


[20], p.28




2018 and 2019

Fintrail visual identity v1_Mailchimp header 1819.png

As we head into 2019, here is a summary of 2018 in numbers.


We welcomed James and John-Paul into the FINTRAIL family.


John-Paul will be leading the FINTRAIL and FFE communities so that Fintechs can collaborate on best practices in financial crime risk management.

James Nurse BW.jpg

James joins us to provide industry expertise all of our projects across a wide range of subjects and specialisms.

We launched the FFE in the USA

As the FFE continues to grow and support its members in the UK and the Netherlands, we launched the FFE in the USA where we will be connecting the community to support the specific needs of American Fintechs.

We held our first FFE conference in London

Over 100 representatives from across the Fintech community spent a day discussing and sharing ideas on the theme of...

‘Disruptive Perspectives on Financial Crime’ 

Which was a huge success with over 100 Fintech experts meeting for a day of learning, sharing and networking.

Fintrail’s Gemma Rogers is Fighting Financial Crime for Fintech’s Sake

Fighting financial crime is TFT’s Wonder Woman this month, Gemma Rogers, CEO FINTRAIL. She speaks to Zoya Malik about using regulation in an innovative way to protect fintech startups from financial crime by looking at their risk appetites and implementing control measures to stay the course.

(Gemma Rogers, CEO FINTRAIL)

ZM: What is FINTRAIL’s objective?

GR: FINTRAIL’s objective is to work with our clients across the Fintech sector to ensure they meet regulatory expectations and can effectively manage financial crime risks. We do this by helping clients understand the financial crime and compliance risks they may face and then work with them to deploy proportionate and effective controls. I believe fintechs have an important role in society and present huge opportunities, but with that opportunity comes risk that illicit and bad actors may take advantage of the new technologies and products to further crime – we work with our clients to stop that from happening. fintechs and challenger banks are unencumbered by legacy systems, data and processes, so can have an advantage over mainstream banks, making it a really exciting area to work in for passionate anti-financial crime professionals.

ZM: How are you advising fintech clients?

GR: We are a consultancy offering expertise on anti-financial crime compliance controls to fintech companies. Our approach with our clients is based on four pillars, Build, Scale, Assure and Solve. In terms of Build we look at what financial crime risks a company may face and ensure they have the right controls to manage them. In terms of Scale, we look at how new products or expansion plans may impact a client and also how controls can and should be scaled as they grow, providing additional capacity and support where and when our clients need it. With reference to Assure, this pertains to more mature fintechs where they require a 3rd party such as ourselves to test their systems and controls and determine that procedures align with regulatory compliance. In terms of Solve, we may come in where a firm has had a bad audit report or may have incidents of internal fraud. We help investigate these issues and advise on how to prevent them recurring in the future.

ZM: What is critical for fintechs in terms of setting up crime and fraud prevention controls?

GR: So, one of the main elements we focus on with our clients is the risk assessment: what this entails is a fintech truly understanding what specific financial crime risks they are exposed to.  What they are then able to do is focus the controls and preventative measures they apply on the risks that are most significant or where they have most exposure. This enables the fintechs to take a proportionate, risk-based but yet customer-friendly approach to how they fight financial crime, which can evolve as they grow their product offerings and business models.  

We also think it is vital that the industry benefits from collective learning and works together to fight back against the financial criminals. That is why we set up the FinTech Fincrime Exchange (FFE), a free members’ forum where we discuss best practices for fintechs, as well as the various permutations, or typologies, of what exactly financial crime can look like. Sharing information of this sort also strengthens the Fintech community’s stance against financial crime, ensuring that this sector plays its part in the global fight against financial crime, something that we are really passionate about at FINTRAIL.  

ZM: How are you advising clients on crypto assets crime prevention?

GR: We are really excited to be working in the cryptocurrency space.  There is a lot written about cryptocurrencies and their utility in financial crime schemes, and while there are risks, there are effective ways to mitigate these, just as there are in other asset classes.  When it comes into force, the Fifth Anti-Money Laundering Directive (5AMLD) will bring EU crypto exchanges and custodial wallets under the scope of ‘obliged entities’ for AML purposes. I believe this, and other recent regulatory developments is a really encouraging step forward, bringing crypto-assets into the mainstream and that the (hopefully proportionate) regulation will drive wider adoption and increase trust across all parties. Regulators want to see companies building controls according to their risk profile and this is precisely what they will want to see crypto related companies do. We are excited to be working with firms who are not only developing hugely innovative products and solutions but also taking a proactive approach to their financial crime risk mitigation strategies.

ZM: What will be new in terms of financial crime regulations and FINTRAIL’s business in 2019?

GR: We have recently expanded our business to the USA so we can offer fintech clients on both sides of the Atlantic access to specialist support, especially as companies are looking to expand and scale internationally. We will also be rolling out our services to Asia, in the early part of 2019.

Next year, Brexit will likely have an interesting impact on the Fintech sector across the UK and wider EU.  As such, we anticipate that FINTRAIL’s activities next year will include some advisory work for clients who are looking at how Brexit may impact their business and the changes in financial crime risk and compliance that may bring.

In the EU we are also excitedly awaiting implementation of the 5AMLD, which is in my view a welcome and positive sign that regulators are aiming to keep pace with the rapid technology developments that we are seeing among fintech and more traditional banking players.

Finally, we are going to be continuing the roll-out of the FFE network across the global fintech hubs in US, Asia and Europe to further expand the network of fintech financial crime professionals who are taking the fight to the criminals.

ZM: What has led your career to financial crime prevention?

GR: Having studied Russian and German at university, I started my career in national security in the UK, before moving into banking and realising that there was a huge crossover between the analytical skills required in government, and the skills needed to fight financial crime; when organisations are taking an ever more proactive stance against financial crime, and the need to be on the front foot to predict criminals’ behaviour is paramount having the ability to examine large amounts of data and set those findings into context is crucial.  Also, being able to understand the level of threat that criminals and crime types pose to different organisations is crucial when building out proportionate controls, and a prior career in national security was incredibly useful in that regard.

ZM: Do you think there is a lack of women entering this part of the industry? If so, why? What can bring them into the industry?

GR: I think the field is levelling out in anti-financial, largely because it’s such an interesting area to work in.  Plus the opportunities for progression are great, particularly in the Fintech sector where companies are taking their responsibilities around anti-financial crime seriously and as such the subject is getting a good amount of board and senior management attention.  Of course, more can always be done to encourage women to take up this career path: the Fintech Fincrime Exchange – a specialist industry forum for Fintechs to share and collaborate on financial crime issues – is proud to have signed up to the FinTech Parity Pledge to ensure we continue to have parity in our speakers; we already have an almost 50/50 split between male and female speakers, but we’re keen to do our bit to encourage this and promote diversity in FinTech.

ZM: What are your personal goals?

GR: Firstly, to ensure my colleagues and I at FINTRAIL are achieving our full potential whether that’s through having the right opportunities or through constructive, mutual feedback, and secondly that the Fintech community is equipped with the right skills and knowledge to fight financial crime effectively and efficiently. Tha was the goal behind the Fintech Fincrime Exchange Conference, that took place on 27 November 2018 where we aimed to provide some insightful content that disrupts traditional thinking around how to manage financial crime risks, and offered some practical skills-based sessions to add value to the ways in which Fintechs investigate and analyse financial crime issues.

ZM: Any concluding thoughts?

GR: Most importantly, we are passionate about fighting financial crime and the hugely negative impact it can have on society, customers and companies.  We like to think we can have a positive impact through our work with the inspirational teams and clients we work with in the fintech sector. We won’t solve financial crime overnight but if we all work together we can start to make a difference, building trust with customers, stakeholders and regulators at the same time.

Originally published here:

Do You Want the Bad News…?

The FFE and sponsor, the Regulatory DataCorp (RDC), have just released the FFE’s latest white paper on FinTechs’ use of Adverse Media Screening (AMS) .

In a survey of 39 members, the FFE found that over 75% currently use AMS as part of their compliance framework. Members used AMS throughout the customer life cycle and identified using the tool in support of investigations and SAR filing to be most valuable. Members found it most impactful when applied in a proportionate way, tailored to their specific financial crime risks.

The survey identified some issues, however. Members continue to struggle with the generation of high volumes of false positives generated by AMS, and were looking for more clarity from regulators on when to deploy AMS. Indeed, almost two-thirds of FFE members surveyed supported making the use of AMS a regulatory requirement, partly for clarity, but also to kickstart the RegTech sector into improving the accuracy of AMS solutions. While it is currently not an explicit  requirement for regulators in the UK, US, or EU, recent findings from the FCA have suggested that when well-executed, it can mitigate financial crime risks. Further guidance of this kind would clearly help FinTechs.

In the meantime, research and feedback from members suggest that the best approach is likely to be a proportionate one. To gain the most value-add from AMS, FinTechs should therefore employ it on a risk-based approach to gather the information most relevant to their risk profile, while making sure their solutions are regularly reviewed to ensure they operate at the highest level. If used judiciously, bad news can be good news for FinTechs.


To download the full paper, click here.

Sextortion: The Underreported Predicate Offence

Cases of sextortion are on the rise; however, as this type of crime grows in prominence, its relation to financial crime remains under-explored.

In May 2018, the National Crime Agency warned that tens of thousands of Britons were being targeted by ‘sextortion’ gangs. Reported cases have increased three times since 2015, and in July 2018, reports of a new, related phishing scam began making their way into our newsfeeds.

Sextortion is not a legal term and is used to cover a broad range of criminal activities. Interpol offer one of the best definitions, classing it as ‘blackmail in which sexual information or images are used to extort favours and/or money from the victim.’

Despite growing awareness from both a law enforcement and potential victim perspective, little analysis has been done on the financial crime implications of sextortion, which are potentially significant.

To help shed light on the subject, we explore three models here--detailing how they operate and what money laundering red flags you should look for.

The Phishing Scam

Over the past couple months, law enforcement agencies from around the globe and across the UK have identified a new scam whereby perpetrators email victims alleging to have hacked into their webcam whilst they were watching pornographic content. The perpetrators request sums ranging from USD$200 to USD$8000 to be paid in Bitcoin and have allegedly made USD$500,000 in total off of the scam thus far. Other phishing scams linked to sextortion exist as well, meaning funds firms might have seen laundered  - and would normally attribute to classic phishing scams - could in fact potentially be proceeds from sextortion. The likelihood of this could increase with time as the success of recent sextortion-related phishing campaigns becomes publicised.

Financial Crime Implications

  • Cryptocurrency payments-- payments relating to sextortion cases may be requested in cryptocurrencies, so efforts should be made to cluster and risk rate bitcoin addresses, and this information could be communicated with FinTechs whose customers deal in cryptocurrencies or who directly facilitate cryptocurrency exchanges and wallets.

  • Recurring payments to the same beneficiary-- the initial one-time payment could become recurring (though the value of each payment could change). Moreover, the payer and payee may have no other obvious connection outside of these payments.

  • New customers-- victims could be new to paying in cryptocurrency and may not use cryptocurrency exchanges outside of these transactions.

The Catfishing Scam

This type of scam is typically carried out through organised criminal efforts, where fake profiles of women are created and used to entice men into performing sexually compromising acts on camera that are then recorded and used as blackmail. Recent cases have seen such activity linked to Romanian crime groups and call centre-style establishments out of the Philippines. Some photos and videos used to create these women are assessed to originate from coerced activity.

Financial Crime Implications

  • Payments from victims--these could come through as FPS payments, and, like with phishing scams, could to be larger amounts followed by recurring payments of varying amounts.

  • Adverse media checks--some KYC details including contact information and residential address may be found through adverse media checks to be connected to alleged romance fraud, dating scams or catfishing.

  • Organised activity--as these types of sextortion scams are often centrally organised, network analysis can be conducted on suspect accounts.

The Blackmail Trade

Blackmail trading can be done through organised criminal groups or more decentralised networks. This type of sextortion typically targets women, and overwhelmingly women under the age of 18. In some cases, children’s sites have deliberately been exploited to find potential victims. It begins similarly to catfishing, with the victim being encouraged into sexually compromising activity, which is then used as blackmail to extort further sexual activity. When the perpetrator grows bored of the victim, they will sell the blackmail material (and by extension, the victim) to a buyer who continues the activity.

Financial Crime Implications

  • Perpetrator to Perpetrator payments--as the payments are for blackmail, amounts could be smaller sums (e.g., £50 to £200) that are one-off payments and may be done through P2P platforms as the parties may know each other. They could be less likely to recur.

  • Payment references--check suspicious payments for references to sexual acts, children’s websites and the name of a woman in a payment between two men.

In all of these cases, unlike other scams, victims rarely ever report the abuse. The implications can be devastating and have been linked to suicide and non-virtual sexual violence. Even when victims do manage to escape, the fear remains. More effort is needed not just to help potential victims protect themselves, but also to crack down on the financial trail behind these activities. The latter - if addressed correctly - has significantly more chance of identifying rings and perpetrators than relying solely on victims reporting crimes, and is another area where public-private partnership could be used to powerful effect.

If you’d like to further discuss this type of crime or other serious predicate offences and how they are financed, don’t hesitate to get in touch.

Why Swiss Plans To Relax AML Regs For FinTech May Do More Harm Than Good

At FINTRAIL we think the Swiss plans to relax Anti-Money Laundering (AML) rules for FinTech under a certain size may actually be a bad idea for the industry and cause those that take advantage longer term harm and complexity.

We fully recognise that for small and early stage companies, complying with AML and Anti-Financial Crime (AFC) requirements can feel burdensome however it comes with a couple of significant advantages. Firstly, embedding AFC at an early stage is not just about complying with regulations, it's about building a strong compliance culture from scratch: by creating a false pause in the need to do this frankly just makes the process harder when you do need to do it due to regulatory requirements. Secondly, by making people think about AFC from the start, they can build in controls, make product changes easily, and generally make AFC a contributing factor to a great customer experience. Removing the drivers to set up an AFC framework from the start will mean that companies start bolting-on controls, and - as we all know from the legacy institutions - that becomes supremely difficult.

At FINTRAIL we feel very privileged to work with dozens of FinTech companies who are at different stages of development and fall under a range of regulatory regimes: one advantage they all have over legacy institutions is that they are thinking about AML/AFC from day one. Is it hard to deal with regulations - yes, of course, but by building it into the very foundation of the company and product they end up in a much better position long-term. It is driving innovation and forcing people to think differently about AML/AFC, their customers and products, and embedding a strong AFC culture from the start that remains as agile as the product development itself. If you want to rapidly scale your business and have a genuinely effective AFC regime, bolting that on is not the way to do it.

Our view is that rather than removing the need to comply with AML regulations, regulators should be looking at how they can simplify the process of complying for those that are at an early stage of their disruptive journey. In our mind that is about providing far more education and support.  It would also give regulators the chance to simplify the language used in regulations to make them easier to understand and thereby implement, while not removing the spirit of what these companies need to become accustomed to dealing with as they scale.

Cryptocurrencies: Getting Serious About Financial Crime Risk Management

Key Points


 ·      Global policymakers have set their sights on cryptocurrencies, signalling that tackling the related financial crime risks is a major security priority

·      With the adoption of the Fifth Money Laundering Directive (5AMLD), cryptocurrency exchanges and wallet providers across the EU will soon face direct regulatory scrutiny and must ensure that they have appropriate financial crime risk management frameworks in place

·      In countries such as the US, where crypto-related AML/CTF regulation has already been in place for some time, regulators have indicated that they will intensify scrutiny of crypto businesses

·      Banks and other financial institutions are also facing pressure from regulators to manage their exposure to cryptocurrencies and related risks

·      The foundations for implementing a successful risk-based approach to cryptocurrencies rests on several pillars: conducting thorough risk assessments; defining risk appetite; cultivating staff competency and subject matter expertise; developing robust governance arrangements; developing, deploying and testing bespoke tools; and collaborating with industry peers

·      In this briefing, FINTRAIL explores how companies can successfully manage cryptocurrencies’ unique financial crime risks in an innovation-friendly manner


 The EU’s adoption of the Fifth Money Laundering Directive (5AMLD) in July 2018 marks an important moment for cryptocurrency businesses across Europe.

By January 2020, EU member states must bring crypto exchanges and custodial wallet providers within the scope of their anti-money laundering and countering the financing of terrorism (AML/CFT) regulation.

The so-called ‘Wild West’ environment for crypto businesses is coming to an end.

5AMLD will put the EU’s crypto industry on par with peers in the US, where the Financial Crime Enforcement Network (FinCEN) clarified in 2013 that crypto exchanges are subject to AML/CFT regulation.

Many in the EU’s crypto industry have attempted to get ahead of the curve.

Even prior to 5AMLD’s adoption, some crypto businesses across the EU had implemented AML/CFT policies and procedures, demonstrating their intention to be responsible actors. Europol has noted that, even absent formal regulation to date, many crypto exchanges across the EU, ‘aim to comply with AML requirements regarding customer due diligence and transaction monitoring . . . [and] many have shown themselves to be willing and capable of supporting [law enforcement] investigations.’[1] 

5AMLD nonetheless marks a turning point. EU crypto exchanges and wallet providers can’t merely be compliant on paper or on a voluntary basis any longer. They will soon be expected to demonstrate to regulators that they are actively managing their financial crime risks in a proportionate and effective manner. Failure to do so could mean fines or other penalties for crypto businesses that fail to meet regulators’ expectations.

In countries where crypto-related regulations are already in place, such as the US, signs point to a climate of intensifying regulatory scrutiny. In March of 2018, FinCEN issued guidance stating that the exchange of Initial Coin Offerings (ICOs) falls within its remit. In April 2018, New York’s Attorney General’s Office launched an inquiry into the accountability and transparency of crypto exchanges, requesting that thirteen major crypto exchanges disclose information about the nature of their compliance frameworks, including their AML/CFT programmes.

It’s not only crypto exchanges that are coming under the microscope. Regulators are putting increasing pressure on all financial institutions to manage cryptocurrency risks. In June 2018, the UK’s Financial Conduct Authority (FCA) published a letter to firms in which it set out its expectation that banks and other financial institutions should evaluate and manage the crypto-related financial crime risks they face.

Beyond the US and Europe, from Canada to Japan to Australia and beyond, regulators are taking a closer look at the nature of cryptocurrency risks and how the financial sector is managing them. The Financial Action Task Force (FATF) is currently reviewing the applicability of global AML/CFT standards to cryptocurrencies, demonstrating the renewed will of global policymakers to tackle the perceived risks. 

In this environment, it may be tempting to find quick fixes and to address new risk management challenges with old compliance solutions.

Unfortunately, the same old approaches won’t work.

Cryptocurrencies present unique financial crime risk management challenges that warrant unique solutions.

 A thoughtful risk-based approach to cryptocurrencies requires thinking outside the box.

In this briefing paper, we share our thoughts about how firms in the crypto industry and in the broader financial sector can meet the challenge.

The Crypto Industry 


Crypto businesses need to keep in mind that ‘compliance’ is not just about ticking boxes.

Best practice in AML/CFT is about thoughtfully managing risk.

 A well-calibrated risk-based approach can allow a crypto exchange or wallet provider to establish a truly comprehensive financial crime risk management framework that protects the integrity of its business, reduces exposure to financial crime and mitigates regulatory risk.

We’ve identified five key areas that can help a crypto business build a best-in-class risk management framework. 

#1 Assessing Risk

 A well-designed risk based approach starts with a thorough financial crime risk assessment.

For crypto businesses, a risk assessment that takes account of the unique features and challenges of crypto products and services is essential.

What’s more, it is important to develop a risk assessment framework that is scalable and can be used to evaluate changes in risk exposure as a company grows. 

Current regulatory guidance, such as the UK’s Joint Money Laundering Steering Group (JMLSG), sets out factors to consider when undertaking a firm-wide risk assessment:

·      Geography – Crypto businesses should assess risks related to where they are located and where they offer services. For example, is a crypto exchange registered in a jurisdiction with a strict regulatory environment, and how does this operating environment impact its risk profile? Is the platform accessible from jurisdictions subject to international sanctions? Is the service available in countries with high levels of terrorist financing? 

·      Customers – A crypto business should also consider whether factors about its specific customer base could impact its overall risk profile. For example, does it have any customers who are politically exposed persons (PEPs)? If so, who are those PEPs and does their source of wealth present any red flags? Are customers who are nationals of countries associated with high levels of human trafficking creating accounts in large numbers, and if so, do those accounts present signs of unusual activity?

·      Product – A crypto business needs to consider how any product features might impact its risk exposure. Does the product enable the rapid conversion of fiat currency to crypto in a way that might prove attractive to money launderers? Is the product vulnerable to high value money laundering, or do its features present a risk of lower-value money mule activity that can be pervasive but difficult to detect?

·      Delivery channel – A crypto business also needs to think carefully about the risks related to how customers access its product or platform. Is it only accessible online? Or does the product involve Bitcoin ATMs or other physical infrastructure that customers can use?

In addition to assessing these general risk categories, crypto businesses should think carefully about the money laundering and terrorist financing risks that their specific offerings present.

For example, whether they provide an online exchange service, a crypto ATM network or crypto prepaid cards, crypto businesses will face unique money laundering typologies and criminal vulnerabilities that are highly specific to their business type. Recent cases suggest that criminals are becoming savvier in exploiting a diverse range of crypto-related products and services, seeking out platforms that allow them to engage in increasingly complex money laundering schemes. Developing bespoke risk management solutions requires understanding these typologies in detail.

Crypto business should also assess the financial crime risks around the types of cryptocurrencies they provide. For example, privacy coins with high levels of anonymity such as Monero may present unique risks and challenges. It may prove challenging to monitor customer activity where these coins are present. Crypto exchanges that offer privacy coins to customers need to be aware of the resulting impact on their risk profile.

It’s important to remember that a risk assessment process should be supported by a sound methodology that enables a company to understand the evolution of its risks over time. This should include:

·      developing a logical approach to measuring inherent and residual risks;

·      ensuring risk assessment findings are thoroughly documented and presented clearly to senior management; and

·      having processes in place for updating the risk assessment, in whole or in part, when new business lines and products are launched, geographical expansion occurs or other trigger events arise.


#2 Defining Risk Appetite

 When a business understands its risks, it can decide which risks it finds acceptable, and those it finds too high.

A financial crime risk appetite statement can allow a crypto business to scale and develop new products and services in a thoughtful manner that ensures commercial goals are achieved without taking on excessive risk. As the Financial Stability Board has indicated[2], a good risk appetite statement can achieve several goals, including:

·      setting quantitative measures that track exposure to key risks, enabling proactive mitigation of risks before they become unacceptably high;

·      establishing limits to risk taking so that staff have a clear understanding of unacceptable risks; 

·      defining staff members’ roles and responsibilities for mitigating risks; and

·      providing a baseline against which assurance functions can test that systems and controls are enabling the company to operate within its risk appetite.

By clearly defining the levels of risk they are willing to assume, a company’s senior management can establish a clear ‘tone from the top’ and foster a strong company culture. Failure to do so can result in a lax risk management environment that leaves the company exposed to reputational and regulatory risk.

 #3 Building a Compliance Team and Governance Arrangements

A strong company culture on financial crime is only possible if supported by a competent and effective team of suitably qualified AML/CTF compliance professionals.

Even the smallest crypto companies should ensure that they have adequately experienced staff who understand financial crime risks, regulatory requirements and appropriate control measures. To this end, it is important to make sure that staff have received appropriate training. As the UK’s JMLSG[3] advises, training should include ensuring staff awareness of:


·      the company’s risks, as identified in its financial crime risk assessment;

·      the company’s financial crime policies, procedures, systems and controls;

·      AML/CTF regulatory requirements applicable to the company, and the consequences of breeching those requirements;

·      the types of high risk customers the company encounters, and enhanced due diligence (EDD) measures that are in place to manage them; and

·      red flag indicators of suspicious activity specific to the company’s product and service offerings, and procedures for filing suspicious activity reports (SARs).

Larger companies should think carefully about how to structure their compliance functions so that risks are managed appropriately, and to ensure that senior management can monitor those risks over time. Compliance teams should be suitably resourced and visible within the company.

This may be accomplished, in part, by establishing financial crime risk committees that are comprised of senior risk and compliance staff and that review key management information to assess the effectiveness of controls and identify emerging risks. Robust governance arrangements can ensure that risk management functions are on the front foot against financial crime and are not merely reactive.  

#4 Choosing and Tuning Tools 

To be effective, a financial crime compliance team must be more than just impressive-sounding titles.

Compliance functions must develop and utilise effective AML/CTF policies and procedures whilst having access to systems and controls that are proportionate to the risks their business faces.

Policies and procedures should be developed with the aim of mitigating a company’s risks as identified in its risks assessments. This could include, for example, having in place specific EDD measures for identifying customers’ source of wealth where less transparent products or services are used.

Financial crime systems and controls – such as identification and verification tools, transaction monitoring systems and sanctions screening solutions – should be appropriately calibrated to ensure a firm can operate within its risk appetite.

Bitcoin ‘track and trace’ forensic tools have also been developed and are already assisting many crypto industry participants in identifying and managing risks.

These systems and controls should be subject to regular audit and testing to ensure they mitigate key risks and meet regulatory expectations. 

As JMLSG notes[4], effective systems and controls are generally characterised by factors such as:

·      alignment with regulatory requirements and expectations;

·      appropriate resourcing; and

·      competent staff operating the controls.

Whether a company chooses to undertake internal or external audit, it needs to be able to demonstrate that systems and controls are compliant whilst also enabling it to manage its risks in practice. 


#5 Working with Partners

 Strength is in numbers, and crypto businesses can bolster their defences against financial crime by sharing information with their industry peers.

At FINTRAIL, we’ve co-founded the FinTech Financial Crime Exchange (FFE), a partnership of over 50 UK FinTech companies, including several of the UK’s leading cryptocurrency firms.

Through the FFE, crypto and other FinTech companies can share information on financial crime typologies they encounter and best practices for prevention and deterrence.

Proactive involvement in industry partnerships, self-regulatory organisations and other similar platforms can enable a company to stay on the front foot against financial crime.

Other Financial Institutions


It’s not just crypto businesses that need to be aware of the changing regulatory climate. Banks and other financial institutions must be alert to the crypto-related risks they face.

As the UK’s FCA stated in its letter to firms in June 2018, ‘You should take reasonable and proportionate measures to lessen the risk of your firm facilitating financial crimes which are enabled by cryptoassets.’[5]

We’ve identified some ways that non-crypto financial institutions can tackle the crypto challenge.

#1 – Measure Risk Exposure

Banks and other firms should not just make blanket assumptions about the nature or extent of cryptocurrency-related risks they may face. A risk assessment and benchmarking exercise can assist in determining the extent of any exposure, whether direct or indirect, a firm may have to cryptocurrency services and users. For example:

·      a large bank undertakes a review of customer transactions to determine whether any customers are acting as unlicenced crypto brokers on sites such as;

·      a prepaid card provider conducts a review of customers’ spending patterns to determine which customers are buying cryptocurrencies from exchanges, and to understand the nature of that activity;

·      a wealth management firm conducts a risk-based review to determine whether any high net worth customers may obtain their source of wealth from cryptocurrencies, ICOs or other crypto-related products.  


#2 – Develop Risk-Based Business Strategies

 Having assessed the nature of any exposure to cryptocurrencies, a firm can begin to make informed decisions about the types of cryptocurrency-related activity it is willing to accept.

Understanding risks and assessing them in a thoughtful way can allow firms to move beyond knee-jerk de-risking of cryptocurrency-related business.

A thoughtful-risk based approach enables firms to maintain exposure to crypto activity and seek opportunities in this exciting new space without taking unnecessary risks.

For example, a firm can implement an approach that allows it to:

·      accept cryptocurrency activity that presents relatively low levels of risk, such as simple trading of Bitcoin on a regulated exchange;

·      engage cryptocurrency businesses that operate in certain jurisdictions but not in others that would present risks of sanctions breeches or other unacceptable activity; and

·      clearly articulate those crypto-related products and services it is not willing to accept so that staff are aware of activity that may not be pursued.

#3 – Cultivate Expertise 

Banks and other firms should develop knowledge of cryptocurrencies among their AML/CTF compliance staff, as well as among their financial intelligence units and investigative teams.

Training and ongoing educational opportunities on cryptocurrencies should be provided to key staff members, who will then be equipped to play a proactive role in managing risks in a thoughtful and truly risk-based manner.

Crypto-focused training can include developing staff understanding of:

·      relevant financial crime typologies;

·      available crypto-related products and services;

·      significant industry developments; and

·      the evolving regulatory landscape around cryptocurrencies.


#4 – Deploy Bespoke Controls

It’s important to avoid the temptation to treat cryptocurrency risks like any other financial crime risks.

Cryptocurrency risks warrant bespoke approaches.

When assessing the risks around customers or transactions involving cryptocurrencies, firms should measure risks considering the unique circumstances of the situation.

For example, if a pre-paid card customer is observed purchasing cryptocurrencies from an exchange, it may help to understand if that exchange has a sound reputation and is subject to regulation before deciding if the activity is acceptable or not. This requires having in place a carefully designed methodology for assessing the risk factors around cryptocurrency exchanges.

Developing an effective control framework can also include considering whether to utlise cryptocurrency forensic tools for monitoring customers’ crypto activity or for use in conducting complex investigations in support of SAR filings.

What’s important is that these controls are designed and deployed in a thoughtful manner, and tested to ensure they work effectively.


Summing Up


As regulators take a closer look at cryptocurrencies, firms must take the initiative and ensure they are managing the financial crime risks.

Whether you’re a cryptocurrency exchange, retail bank, FinTech or other financial institution, the time to begin building a robust crypto risk management framework is now.

At FINTRAIL, we’re equipped to assist your business in its cryptocurrency risk management journey. Whether it’s

·      designing bespoke risk assessment methodologies and conducting risk assessments;

·      defining risk appetite statements and measuring adherence to risk appetite;

·      developing and delivering financial crime training;

·      establishing and supporting financial crime committees and other governance arrangements;

·      designing new policies processes, tools and systems; or

·      establishing audit and assurance arrangements, and conducting tests of systems and controls


Our team of consultants is here to help.


[1] Europol, From Suspicion to Action: Converting financial intelligence into greater operational impact, 2017, p. 18.

[2] See

[3] See JMLSG, chapters 7.29 – 7.41.

[4] See JMLSG, chapter 3.35.


Geopolitics & Cryptocurrency

Cryptocurrencies have been a controversial topic in the FinTech space and wider financial sector in recent years.  Despite a reputation for higher financial crime risk, their increased popularity makes them difficult to ignore and financial institutions are looking for compliant ways to engage.  With evidence to suggest that sanctioned governments are using cryptocurrencies, a robust and responsive risk approach is necessary.

Korean Cryptocurrency

The divisions between north and south are complex, but at first glance it would seem South Korea leads when it comes to the FinTech sector, and more specifically cryptocurrency trading.  Along with Japan, they are regional leaders and South Korea is home to some of the world’s largest crypto-exchanges, including Bithumb and Upbit, with a disproportionate volume of trade passing through its markets.

There has appeared in recent months to be the potential for a thawing of international relations for North Korea, which has been under UN sanctions since 2006, and US sanctions from as far back as 1950.  In recent weeks there have been renewed calls from Kim Jong Un’s regime for an end to US sanctions, following the North Korea-US summit in June, where Donald Trump suggested an agreement could be reached.  But with latest UN reports suggesting the Kim regime is continuing to build their nuclear military capability, a lifting of sanctions is unlikely to happen soon. This makes any North Korean involvement in the relatively borderless market of cryptocurrency trading a cause for concern.  

As sanctions persist, the decentralized, interconnected and potentially anonymous nature of cryptocurrencies offers a portal into the international economy.  It is a way to circumvent economic restrictions that hold the country in poverty, and to continue to fund the country’s nuclear programme which is estimated to cost 30% of the country’s GDP.  Despite the hardship of ordinary people, Kim is himself worth an estimated $5 billion. An unsurprising fact, as North Korea is among the most corrupt in the world, currently 171 out of 180.  Much of Kim’s wealth is rumoured to be held overseas, making the illicit movement of funds a high priority and the under-regulated alternative of cryptotrading very attractive.  The difficulty of tracing the source of virtual funds, especially when trading involves private coins that anonymise the seller and buyer, is compounded when digital assets are exchanged for legal tender.  The dollars, euros or pounds can be entirely without trace of their suspicious origins.

The regime has also allegedly turned its hand to simple theft of cryptocurrencies.  Utilising established cyber capabilities, witnessed in such devastating international cyber attacks as 2017’s WannaCry ransomware attack, North Korea is the main suspect behind at least three successful hacking attempts of cryptocurrency exchanges within the past year. This includes the security breach of the Japanese exchange Coincheck in January, where an equivalent of $530 million worth of coins and tokens was stolen. It is uncertain how much of this reached North Korea, although some estimate the regime was in possession of $200 million worth of Bitcoin and other cryptocurrencies as of March 2018.

Russia’s Crypto Measures

Along with ongoing talk of a national Russian cryptocurrency, the CryptoRuble, that could potentially evade sanctions, another example of the growing interplay between state-sponsored financial crime and digital assets can be seen in Russia’s alleged meddling in the 2016 US election.  Last month, as part of the ongoing Special Investigation led by Robert Mueller into Russian active measures to influence the outcome of the election, 12 Russian nationals were indicted for hacking email accounts affiliated with Hillary Clinton, using cryptocurrencies in an attempt to cover their tracks.  

The perceived anonymity of cryptocurrencies made them the means of choice for facilitating this cross-border criminality.  However, in this case, they were in fact the means by which the criminals were identified. In the indictment, conspirators were identified using the same pool of bitcoin funds to purchase infrastructure that was used for the hacking, such as a virtual private network (VPN).  They also raised funds through bitcoin mining.

It also detailed how they obscured the origin of bitcoin they received:

‘this included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.  They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.’

As the indictment shows, attention to the mechanisms of virtual currency trading is increasingly relevant to the crime itself.  They laundered ‘the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies’.  The growing awareness and recognition of the intricacies of the cryptomarket by authorities, means the same will be expected of financial institutions. It was noted the 12 Russians used a mix of currencies including US dollars so the border between fiat and cryptocurrencies needs to be understood as an institution that believes itself to deal only in one or the other, is likely exposed to both.

Practical Steps for FinTechs

With over 1500 cryptocurrencies currently in circulation, a first step for a FinTech engaging with cryptocurrencies is to be aware of the relative risk of different cryptocurrencies, with the highest risk being private coins and of course coins created by sanctioned entities, such as Petro coin by Venezuela.

Weak KYC and verification processes on signing up for an account with a crypto-exchange is an important factor.   Weak KYC can be deliberately aimed at encouraging wider adoption, with minimal identification required, often with an ideological basis of preserving the anonymised freedom of the virtual realm.

Geography is central to assessing financial crime risk.  While the majority of exchanges have some restrictions in place for the jurisdictions they serve, usually in line with international sanctions, others such as Russian crypto-exchange Simex will allow a North Korean citizen to sign up for an account.

Regulatory status of a crypto-exchange is a particularly fast evolving risk factor.  There is a global move towards both self-regulatory organisations and the establishment of regulatory authorities.  However it is evident that exchanges with lower levels of regulation often have more users and more coins on offer. A lack of oversight that makes these platforms more vulnerable to financial crimes like money laundering, terrorist financing and yes, sanctions evasion.


While cryptocurrency trading continues to shift and adapt to geopolitical trends, FinTechs are excellently placed to respond to changes as they emerge. A comprehensive understanding of the unique financial crime risks surrounding cryptocurrencies and how this is situated in its political landscape will allow firms to assess both the individual customer and their virtual funds in their full context.  Cryptocurrency trading is one weapon in the cyber arsenal of hostile states such as North Korea and this dimension of risk from sanctioned entities should be included by any FinTech looking to deal with crypto funds. As seen in the case of Russian active measures, proper controls can go far in tracing criminal use of cryptocurrencies, and - with the accuracy and permanence of digital transaction data - perhaps even more so than traditional currencies.

5AMLD - What To Look Out For

Just over a month ago, the final text of the Fifth Anti-Money Laundering Directive (5AMLD) was published, kicking off the 18-month countdown until it comes into play. Its precise, full impact is unknown for now, but it is expected to significantly impact the way governments, regulators and businesses in Europe have to approach financial crime risk.

What’s the rush?

This new directive followed the former surprisingly quickly in large part due to the rising popularity of digital currencies combined with the hysteria following the Panama Papers. Given it’s only been 2 years since the last AMLD was adopted (some countries are still trying to implement it), compared to the 12-year gap between the previous AMLDs, it is clear the European Commission is focused on reassuring people and businesses that they are on top of new and developing issues.

What does 5AMLD actually change?

The key change from the 4AMLD comes in the definition of “obliged entities”, increasing its scope to include virtual currencies, anonymous prepaid cards and other digital currencies. Previously, there have been no specific laws aimed to cope with the risks of virtual currencies and it’s clear that with this new directive, the European Commission is intent on making sure that virtual currencies do not become a safe space for criminality. It also shows clear signs of their move to increase the scope of the fight against money laundering (ML) and terrorist financing (TF), as criminals can take advantage of the anonymity of virtual and digital currencies.

The other key aspect of the 5AMLD is that it further clarifies the requirements and timings for the implementation of the required beneficial ownership registers introduced in the 4AMLD. Essentially, member states and the European Commission will be required to keep accurate and up to date registers that must be interconnected to the European central platform. This integration will allow for more efficient information sharing, making it easier to combat ML and TF.

Other features include the adjustments made to address Politically Exposed Persons (PEPs), expanding the definition and pledging to publish a combined list of EU and Member states’ lists of all prominent public functions. Traditionally, a “one size fits all” and “once a PEP, always a PEP” approach has been used, but this system is not adequately risk-based. The new regulations hope to address this issue by integrating a more nuanced and comprehensive approach to identifying and managing the financial crime risked linked to PEPs.

There is also set to be enhanced co-operation and information sharing among EU Financial Intelligence Units (FIUs) in the hope that this will make information more easily accessible and align with international best practices. FIUs across the EU receive broader powers under the 5AMLD as they will no longer need be limited to the identification of a predicate offence or suspicious activity report prior to filing an information request.

So, how to prepare?

With this new directive being introduced, here are a few things firms may want to consider in preparation:

1)    Virtual Currencies – 5AMLD will require obliged entities, i.e. providers engaged in exchange services between virtual and fiat currencies, to be registered and to comply with AML and CFT requirements. National authorities will be authorized to obtain all the associated information and regulate them accordingly. Exchanges that fall under the definition of an obliged entity will need to start benchmarking their existing frameworks against existing EU and jurisdiction specific AML & CTF controls and making any appropriate enhancements.

2)    PEP Categorisation – With changes being made to PEPs, firms may want to start thinking about how they categorise PEPs and how they apply different levels of monitoring such that when the new categorisation criteria come in, they are prepared

3)    Increased Reporting – Under new business ownership discrepancy rules, firms will be obliged to report discrepancies they find between the beneficial ownership information available in the central registers and their own registers. In the case of reported discrepancies, Member States will be obliged to ensure that appropriate actions be taken to resolve the discrepancies in a timely manner.

4)    Due Diligence Advances – 5AMLD will require a specific Enhanced Due Diligence list to be applied when dealing with high-risk countries defined by the European Commission. You should review and update your due diligence processes to ensure full compliance.

If you need any help scoping enhancements for implementation or indeed reviewing whether your current procedures meet the requirements of EU or jurisdiction specific requirements, FINTRAIL will be happy to offer assistance.

UK Suspicious Activity Reports (SAR) - Balancing Customer Experience in a FinTech

Suspicious Activity Reports (SARs) are familiar to many of us as the mechanism used by obliged entities to report suspicion of money laundering or terrorist financing to relevant authorities. However, the SAR process can cause some challenges for early stage FinTechs who are trying to balance regulatory requirements with transparent and customer centric service. It is something we get a lot of questions about, so we thought we would outline some hints and tips on things to think about.

In the asymmetrical game of whack-a-mole that is the fight against financial crime, SAR’s are a useful but sometimes imperfect tool for generating intelligence about financial criminals. Notifying the appropriate financial crime enforcement unit such as the National Crime Agency (NCA) when a Defence Against Money Laundering SAR (DAML) is required is not only the right thing to do but also usually a regulatory and legal requirement. DAML SARs, as the name implies, are reports that describe the most important facets of activity that could be regarded as suspicious and indicative of money laundering.  Their regulatory purpose can’t be understated, as they act a conduit between the events themselves, the handling of the questionable funds, and possible investigation by law enforcement.

However, the nature of SARs and the context they operate in can be challenging. This is especially true for companies and especially start-ups in the FinTech sector who are seeking to meet their regulatory and legal requirements while also providing a great customer experience. FinTechs are operating in an interesting era, where customer feedback on social media and review sites such as TrustPilot have tangible impact on the success of a product or service. They also provide a challenge to financial crime teams and those responsible for public relations (which we discuss below).

We aren’t going to dive deep in to the overall requirements of the SAR regime in this blog, we would be here for some time! Instead, we will focus on a few practical tips for FinTechs to consider when balancing customer experience and their regulatory and legal requirements. Wider SAR guidance is available from the likes of the NCA and the team at FINTRAIL are always available to offer advice.

1.    It will happen

The first thing we stress to our customers who form part of the reporting regime is that, at some stage, you will to have to deal with a customer and the SAR process. You are better developing a simple internal process before it happens. Think about what your team needs to do when dealing with a customer subject to an investigation before you have the additional pressure of them asking for answers. Equally, ensuring you have clear customer off-boarding/exit process will also ensure this is done in a timely and fair way. Once you have a process established, ensure your team is well trained and understands the risks and challenges associated with customer investigations.

2.    Don’t Panic

The language around SARs and things like “tipping-off” can be intimidating, especially when you see terms like criminal offence. Don’t panic about this. By doing step 1 first you will be able to make sure you meet your obligations. No one is perfect, and mistakes sometimes get made, just make sure to learn from those opportunities.

3.    Have a strategy for customer engagement

It’s well known - particularly in the FinTech community, where customer interaction is vital, immediate and direct - that some of those who engage in financial crime are wily and tenacious. They can be hostile in their communications once transactions are blocked, or accounts are suspended pending investigation or the submission of a SAR. Those who must deal with them are presented an unenviable operational challenge: they cannot give anything away that would make the criminal suspect they are the subject of investigation/SAR (“tipping off”), but nor can they lie and treat the customer unfairly.

Each instance is different, but there are some suggestions that are practical for most encounters:

  • Don’t ignore customers, as positive engagement is a better strategy than ignoring them. Be polite, professional and responsive but have a clear line and stick with it.

  • Proactively provide your customer ops or support teams with standard lines or approaches to take in response to customer enquiries. Make sure they have training on these approaches and they are broadly consistent.

  • Trust in your policies and processes, they are there for a reason. However, if you find something has gone wrong make sure you capture the reasons and put it right.

  • Do not be swayed by threats. This is a tactic we have seen used on several occasions to try and force a response from the obliged entity and put those people dealing with them under increased pressure.

  • As an organisation, you should have a zero-tolerance policy to harassment or intimidation and if this occurs you should immediately involve your local law enforcement.

  • Just because they are subject to a SAR doesn’t mean their rights as a customer are suspended. Refer them to relevant departments, such as complaints, in the appropriate circumstances.

  • Sometimes it’ll be necessary to move the case up the chain to someone on the team with greater authority or more knowledge of the situation. Knowing when to do this, and when not to, is important.

  • Be responsive on social media and to customer reviews. The compliance/financial crime and PR/social media teams can collaborate to standardise responses to negative feedback from customers on the back of investigation or exit process, without the risk of tipping-off.

  • However, do not get dragged in to drawn-out back-and-forth with customers on social media. Provide a clear, well-judged and visible response but do not allow them to bait you.

4.    Write clear and accurate SARs/DAML SARs

In the UK especially, the NCA receives hundreds of DAML requests every day and thousands of SARs. To help law enforcement process those requests as efficiently as possible and therefor provide you with the response you may be requesting, it is important to ensure you follow guidance and provide complete, well written and concise SARs. Equally, make sure you follow relevant guidance on when and when not to file a SAR or DAML SAR to avoid over filing and creating unwarranted operational challenges.


Without a doubt, SARs perform a valuable function, and they have proven their worth countless times by helping to start and inform investigations into criminal activity. However, the SAR process can cause operational and customer challenges that if considered before they happen, can be managed efficiently while still maximising a great customer experience.

GDPR Principles: Vetting Data Processors In A Digital World

GDPR no longer needs any introduction, and here at FINTRAIL, we loved collaborating with the team at Jumio to help them launch their GDPR e-booklet, which you can download here.  

Together, we came up with 5 key principles that we think best help data controllers understand the activity of their online identity verification providers, and whether or not they’re fully GDPR compliant. Data processors in this space handle vast amounts of sensitive, personal data that, while integral to ensuring customers are who they say they are, can also be exploited or mishandled.  As such, GDPR compliant practices are key.

In brief, these are the main questions that controllers can ask of their processors which will help frame their thinking on this important aspect of compliance:

  1. Human Review: How are verification decisions made and what recourse do data subjects have to challenge those decisions?

    • GDPR gives individuals the right not to have significant decisions made about them solely on the basis of automated processing.

  2. Compliant Machine Learning: Does the data processor employ Compliant Machine Learning?

    • Under GDPR, vendors can only develop specific AI models trained on the data of a given customer and cannot leverage data from other customers to create more comprehensive models.

  3. Data Retention: Can data retention policies be tailored to your business requirements?

    • Clear processes around data retention and deletion help processors and controllers deal with the stipulations around Subject Access Requests.

  4. Data Breach Notifications: Do you have a data breach notification process in place and has it been tested?

    • Processors, as well as controllers need to be able to inform relevant parties of any data breach in a timely fashion; having clear and verified processes around this is one step in the right direction.

  5. Data Encryption: Is personal data encrypted and protected appropriately?

    • Proper data protection and encryption reduces the likelihood of a breach and increases the privacy of citizens’ information. GDPR stipulates that personal data is properly protected.

You can read more detail in the e-booklet of course, and find out even more information about GDPR, its implications for processors, how best to approach these questions, and exactly how Jumio is helping controllers maintain and manage their GDPR compliance through its innovative identity verification solutions and careful approach to data privacy.

Cryptocurrencies and UK FinTechs: Perspectives and Experiences of Financial Crime

The UK FinTech FinCrime Exchange (FFE) has just launched its latest white paper on FinTech perspectives and experiences on the nexus of cryptocurrencies and financial crime.

Cryptocurrencies experienced a meteoric rise in both value and popularity at the end of 2017.

While the value of popular cryptocurrencies such as Bitcoin has declined, interest has remained. International governments have been slow to regulate the emerging market, and many in the traditional financial services sector and wider public have expressed concerns related to the ability of cryptocurrencies to facilitate financial crime.
This paper answers the following questions: how does the UK FinTech sector perceive the risks associated with cryptocurrencies, and how are they managing the challenges related to this new disruptive technology?

Our research suggests that while some UK FinTechs have considered engaging more with cryptocurrencies, perceived financial crime concerns, the need for meaningful AML/CTF controls and the lack of regulatory clarity have fostered an attitude of caution.

We found that perceptions of financial crime risk associated with cryptocurrencies differed from actual experiences of FFE members.   These perceptions had a disproportionate impact on how Fintechs chose to engage with cryptocurrencies, limiting their appetite for extending their exposure, and for some, that of their banking partners.

The paper recommends that FinTechs not be deterred by the challenges associated with cryptocurrencies, as financial crime concerns can be managed through tailored, risk-based anti-financial crime tools, and a solid understanding of any areas of concern through a detailed risk assessment process. Regulators as well as law enforcement actors should collaborate more with FinTechs in order to improve the broader understanding around cryptocurrencies, financial crime and new regulatory developments.

More detailed findings are presented in the white paper.

For more information on the FFE or on cryptocurrencies and financial crime, please contact the FFE Admin.

FFE Expansion - Holland

FINTRAIL and RUSI, in partnership with Holland FinTech and bunq, are pleased to announce the launch of the Dutch FinTech FinCrime Exchange (FFE NL)!

The FFE NL is a local network connecting the Dutch fintechs to enable sharing of information and typologies, to help strengthen the sector’s ability to detect and counter the global threat of financial crime. The launch of the FFE NL also marks the FFE’s first step toward global expansion and the development of an international, interconnected network for financial crime information sharing.

The initiative leverages on the success of the FinTech FinCrime Exchange (FFE) UK and builds on its best practices, while also connecting local actors.  The FFE UK is a member organisation of over 45 of the UK’s leading FinTechs, who share information and financial crime typologies and controls. The FFE network produces white papers to exchange best practice on financial crime risk and compliance mechanisms, and share experiences and inform relevant stakeholders in law enforcement, government and regulatory bodies.

The global scope of financial crime and the shared threats faced by all major FinTech hubs particularly underscore the need for the FFE NL, which will give its members not only a trusted place to exchange information, but also access to an increasingly far-reaching network of resources and perspectives.

The first FFE NL meeting will be held on 30 May in Amsterdam, designed to align with the ACAMS 14th Annual AML & Financial Crime Conference Europe.

The FFE network is currently free for members.  For more information on FFE NL or to register interest in membership, please contact

The FFE was founded in January 2017 by FINTRAIL, a financial crime risk management consultancy, and the Centre for Financial Crime and Security Studies at the Royal United Services Institute (RUSI). 

Investment Due Diligence: Leave No Stone Unturned

Due diligence - a term bandied about readily with much confidence across many different sectors - broadly accepted as a process that underpins a thorough and confident appraisal of a specific business proposition, perhaps a significant merger, acquisition or other investment. At its most effective, due diligence arms a business with the facts it needs to make confident, astute decisions. At its worst, poor due diligence muddies already murky waters and potentially guides businesses down the wrong path.

To avoid the latter outcome, it’s best to avoid an off the shelf, one-size-fits-all process and instead adopt a bespoke approach that accounts for all inherent risks associated with a particular proposition.

Venture capital (VC) investment in FinTech - a booming industry - is a case in point. VCs have to understand complex business models and cutting-edge technology to pinpoint viable investment opportunities. Armed with millions, or indeed billions - $1.8billion was raised by UK FinTechs in 2017 - and facing fierce competition from other VCs, the panoply of risks presented by startup FinTechs could appear daunting.

VCs will often feel most comfortable assessing the viability of the business model, legal and financial aspects and will engage experts to evaluate the technology. That makes perfect sense. The success of a FinTech largely hinges on a successful combination of those areas and, more often than not, those are the risks most familiar to VCs. However, other stones sometimes remain unturned..

People risk is often overlooked or considered addressed through a simple criminal background check. With the wealth of information sources now available it’s perhaps remiss not to take a closer look at those who you’re investing in. Start-up scams are not uncommon in Silicon Valley; an early 2017 Fortune article explored the sector’s “unethical underside”. Are the founders who they say they are? How accurate are CVs and other stated accomplishments - the CEO of Wkriot pleaded guilty to fraud last month. Have failed attempts to fund other start-ups been disclosed, what about other initiatives that crashed spectacularly? Are other business interests in play that conflict with those of the VC? Many a business leader and politician have fallen foul of skeletons discovered in cupboards they’d long since forgotten about.

How about the culture of the firm? Is there evidence of unethical practices in the founders’ previous businesses? What does social media tell us? The merest hint of unethical behaviour could have a huge impact on culture of the firm, which in turn could lead to corners being cut, regulations not properly adhered to and risk decisions ignored or taken well outside of risk appetite.

Thorough due diligence of a FinTech couldn’t be considered complete without a close look at how its offer might be exposed to financial crime risk. The fledgling nature of the firm will mean a full risk assessment isn’t possible, but early inspection of the proposal will allow for an early judgement to be made on the type of controls and framework needed to deliver a compliant and secure product.

An effective due diligence exercise should alert a VC or other investment firm to concerns in any of these areas. However, if risks go unflagged through neglectful or absent due diligence they hold the potential to manifest further down the line with grave consequences for the VC and other stakeholders.

FINTRAIL would be delighted to discuss structuring a bespoke due diligence process for any aspect of prospective investments. Our team have deep experience in conducting due diligence for global banks, investors and government agencies and have a wealth of cutting edge tools at our disposal.