Risk Assessment: Back to Basics

By Meredith Beeston (FINTRAIL Solutions) and Allison Spagnolo (FINTRAIL Solutions).

Adopting a risk-based approach is the foundation of best-in-class anti-financial crime practice. Your anti-financial crime (“AFC”) risk assessment should be one of the cornerstones of that practice.

While financial crime risk professionals are familiar with the AFC risk assessment, also known as the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) risk assessment in the U.S., it can be easy to underestimate its true value in the risk management framework. Risk assessments often feel like a chore or little more than a check-the-box exercise to please your regulator. The AFC risk assessment, however, is one of the most powerful tools you have to reduce your exposure to financial criminals and should be designed to grow and evolve to match any new vulnerabilities. A properly-executed AFC risk assessment will close gaps in your compliance program and identify the appropriate policies, procedures and controls that should be implemented to protect your firm and your customers. To help you design a risk assessment of your own, we’ve gone “back to basics” and drawn on our experience with FinTechs to unpack the fundamentals of a modern and effective risk assessment . This post will explore features common to all AFC risk assessments and offer practical advice about how to design one for your company.

What is an AFC Risk Assessment?

In most jurisdictions, AFC risk assessments are indeed a regulatory requirement. The U.S. Bank Secrecy Act (“BSA”), the EU’s 4th Anti-Money Laundering Directive (“4MLD”), and the Financial Action Task Force (“FATF”) all require periodic internal risk assessments. Consider, though, that this particular regulatory requirement can also be an opportunity to meaningfully guide your entire AFC framework and not just a task to complete to avoid regulatory displeasure.


AFC risk assessments also serve as:

  • A map of vulnerabilities: It is important to understand the ways in which a criminal might seek to misuse your product. It is much better to proactively identify and address potential vulnerabilities instead of discovering them as part of a “post-mortem.”

  • A resource plan. Once you know where your vulnerabilities lie, you can consider the controls you need to tackle them, giving you the opportunity to better strategize how to divide up your company’s finite resources. For instance, which RegTech products are most worth the investment? What skills do you need in your next AML analyst? The answers to these questions will be resolved in the risk assessment.

  • A development strategy. In the FinTech sector, growth and innovation are a daily feature of the business. Your AFC risk assessment can and should guide these efforts - helping you select which jurisdictions are best for expansion, which product features offer the most potential with the least risk, and which customer segments to market to next.

  • A dialogue. Much like your company itself, your AFC risk assessment has to evolve. It should change to reflect insights and feedback from your senior management, auditors, consultants, banking partners and regulators. Each risk assessment - and its results - offers an opportunity to dialogue with relevant stakeholders about the future of the AFC risk assessment, resourcing and compliance program.

How do I Create an AFC Risk Assessment?

At their core, AFC risk assessments can be summarized in one essential formula:

INHERENT RISK - CONTROL EFFECTIVENESS = RESIDUAL RISK

Let’s break down each of these factors in a bit more detail.

Inherent Risk

Inherent risks are the financial crime risks you face before you apply any of your existing (or if you’re just starting off, planned) AML controls. At a high level, your inherent risks generally fall into three categories:

  • Who your customers are

  • What geographies you serve

  • Your unique product and delivery features

Then, you will need to develop criteria or questions about the specific financial crime risks your company and customers are exposed to in each area. While it is important to initially consider the broad categories of financial crime risk (e.g., money laundering, terrorist financing, and fraud), you will likely want to generate more granular questions. For instance, if you offer a prepaid card targeting students, you will want to specifically address the risk of money mule activity occurring on your platform. In another example, if you offer a direct debit service, you will want to consider how vulnerable your product is to transaction laundering.

You should be able to analyze the data you gather across your company. While many FinTechs we deal with have a single office or product, over time, your approach to gathering data to establish inherent risk will need to evolve. For instance, for a FinTech with branches in Europe, the United States and Asia, instead of asking, “Are you aware of any high risk or medium-high risk-rated customers in a branch’s customer population?,”  the risk assessment should ask, “Provide the number of high-risk customers in each branch.”

Where appropriate and where the information is available, the risk assessment should also seek volumes (i.e. with respect to transaction data and SAR data). This will help to accurately reflect financial crime exposure.

Based on the responses in the inherent risk portion of the risk assessment, an inherent risk score is generated. It is typically along the “Low,” “Medium,” and “High” spectrum. There is no one-size-fits-all calculation of the inherent risk score, and some institutions will develop simple scoring while others will create complex weighting systems. The key is that your methodology is clearly explained and can be replicated when you update your risk assessment.


Control Effectiveness

Control effectiveness refers to the capacity of the specific processes and systems you have in place to mitigate each identified risk. As with inherent risk, granularity is important here. The control effectiveness portion of the risk assessment should be tailored, so that each relevant control is assessed against the corresponding risk, and impartial, so that controls are accurately represented in their effectiveness. For instance, if the control effectiveness topic is “Payment Alert Investigations” and the inherent risk is related to the processing of a sanctioned payment, you may want to consider: “Do the procedures covering alert handling address what documentation should be collected to support the investigation of sanctions screening payment alerts?”

As with inherent risk, you want to allow for as much impartiality as possible in assessing control effectiveness, and to rely on clear data when it is available (such as false positive rates, rates of false IDs that pass KYC, etc.).

It is important to have an understanding as to whether each control effectiveness topic has meaningfully addressed each inherent risk, both precisely and with a wider understanding of your overall control landscape. If you have multiple products or branches, you may want to be able to draw comparisons across your company. Like with inherent risk, there is no one way to measure control effectiveness; the key is that your methodology is clear, objective and justifiable.


Residual Risk

Residual risk is the risk that remains once all your controls are in place. In other words, it is what you are left with after identifying inherent risk and applying your mitigating control effectiveness. It is unlikely that residual risk will be “Low” across the board, but that is normal and expected. Your level your residual risk scores will help shape the broader financial crime risk appetite of your business. Knowing this risk level gives you the opportunity to consider issues such as whether your company is comfortable with a “Medium” residual sanctions risk when expanding into certain jurisdictions.

Case Study

AFC risk assessments are designed to be complex and comprehensive, so it is not possible to provide an in-depth breakdown of an example here. However, even through the brief case study below, you can see why completing an AFC risk assessment provides a clear benefit to a FinTech:

Scenario

A FinTech planning to offer individuals an app-based foreign exchange service, loaded through debit cards and bank transfers, decides to conduct an AFC risk assessment prior to going live with its pilot.

Risks and Vulnerabilities

The FinTech discovers a range of inherent risks to which it is exposed, with particularly alarming scores linked to potential sanctions evasion, attempted payments to sanctioned individuals or companies, financing acts of international terrorism through purported charitable donations, and money laundering connected to narcotics or human trafficking.

Managing Risks

The FinTech uses the inherent risk analysis to shape its controls in order to obtain an acceptable level of residual risk. The controls are designed to go beyond comprehensive monitoring and screening and robust KYC and adverse media checks. The company also limits the geographic scope of its product to non-sanctioned countries with lower levels of money laundering/terrorist financing risk, and designs its expansion plan so that geographic risk is added only incrementally. This increases confidence in the product, which allows it to be signed off by all relevant stakeholders.


Things to Remember

Here are a few key lessons to take away:

  1. AFC risk assessments are not “out of the box.” They should reflect the nature, size and scale of your business. If your business is just starting up, you can start with a simple risk assessment!

  2. AFC risk assessments should make sense. There is no need for over-complicating the questions or the scoring. You want to be able to communicate it easily across your company.

  3. AFC risk assessments evolve. While this is certainly true as it relates to your business growth, it is likewise true in relation to the evolving typologies that criminals try. If you learn about an emerging risk from a reliable source, consider adding it to your next risk assessment.

  4. AFC risk assessments do not result in perfect scores. You will never have zero risks. Rather, it is more important to be aware of the risk levels you do have and develop a comfortable risk appetite in response.

  5. AFC risk assessments are all about the details. Be sure the risk assessment is as useful to you as possible, keeping in mind all the ways it can add value beyond a simple regulatory requirement.

Help and Resources

If you have any other questions related to your AFC risk assessment or how to execute it, do not hesitate to reach out to FINTRAIL Solutions in the U.S. or FINTRAIL in the UK. If you are interested in further improving your risk assessment, here are a few key resources to consider:

  • The Wolfsberg FAQs on Risk Assessments: These Frequently Asked Questions are in-depth responses to common risk assessment inquiries. Remember, though, the risk assessment format and methodology that will work best for you will depend on your company’s unique characteristics (e.g., size, scale, and overall offering).

A Modern Curse - Fentanyl and FinCrime

Matthew Redhead (Senior Associate, FINTRAIL) & Krista Tongring (Managing Director, Guidepost)

Matthew Redhead is a financial crime risk and intelligence specialist, who has undertaken a range of senior operational, change management and leadership roles in financial services, consultancy and government. He works with FinTechs and challengers to build responsive and smart compliance frameworks that encourage innovation whilst minimising risk. 

Krista Tongring oversees a variety of compliance issues and investigations for clients including AML, trade compliance and anti-corruption matters. Previously, she had an accomplished career at the U.S. Department of Justice having most recently served as the Acting Section Chief at the Drug Enforcement Administration Office of Compliance. She led policy discussions and developed strategies to implement new and revised policies. She also worked to establish a more efficient policy review process. Ms. Tongring spent a significant portion of her career as a federal prosecutor where she investigated and prosecuted complex criminal matters, including racketeering, money laundering, abusive trust and other tax matters, international organized crime, criminal asset forfeiture, and violations of the Bank Secrecy Act.

As close partners of FINTRAIL Solutions are aware, we have been concerned about the impact of fentanyl - a powerful and highly addictive opioid used legally for the relief of extreme pain, but also produced and sold illegally - since early last year. The illegal use of the drug is at epidemic proportions in North America, and based on Canadian government warnings, we highlighted to clients and collaborators the potential financial crime risks that the burgeoning trade in the drug posed directly to FinTechs and their customers. 

As professionals in risk management, it is easy to look at issues like fentanyl and treat them as technical problems alone: risks to be identified and mitigate. However, the fentanyl epidemic highlights the underlying human tragedies that often drive the financial crime we seek to tackle. Overdoses of illegal fentanyl are reported to have killed the singers Prince and Tom Petty,[1] while the US Centers for Disease Control and Prevention (CDC) reported in December 2018 that fentanyl is now one of the main drugs involved in overdose deaths across the US.[2]

 This blog post is the first in a series which will look at the social causes and contexts of financial crime. The aim is to look at the problem in the round - its character, causes and impact - to help remind us why it is not only important to fight the financial crime the problem engenders, but also consider the reality for people who are caught up in these illegal trades - the mules, the users and the small time dealers, who, in truth, are victims too.

 

The Fentanyl Problem

Fentanyl is an opioid: a category of drug that suppresses feelings of pain in the brain, whilst also engendering states of relief and relaxation. In its legally manufactured form, it is usually prescribed for extreme, chronic pain, and is rated as being up to 100 times stronger than a sister opioid, morphine. Legitimate fentanyl is usually taken as a patch, lozenge or injection, but care has to be taken, as there is a very real risk of overdose and death.[3] Fentanyl can also be illegally sourced, either through the theft and diversion of legitimate supplies, or the purchase of synthetically produced illegal variations, usually coming as a white powder that can be ‘cooked’ and injected, snorted or ingested, either on its own, or in combination with other illegal drugs, especially cocaine and heroin.[4]

 Even in the legal variety of the drug is extremely dangerous, and is classified in the top category of most countries’ controlled substance schedules.[5] Indeed, the drug is so powerful that in August 2018 it was used in Nebraska to execute Carey Dean Moore by lethal injection,[6] and has allegedly been banned on some drug supplier websites on the darknet, according to a 2018 report by the UK paper The Guardian.[7]

 

The Market

 There is little doubt that the current epicentre of the fentanyl epidemic is North America. In the US, the drug has had a devastating effect; in a recently published report from December 2018, the US Centers for Disease Control and Prevention (CDC) stated that, as of 2016, fentanyl is now linked to 29 percent of all overdose deaths.[8] Overall, more US citizens were killed by all opioids - of which fentanyl is most prominent - than were killed by guns or car accidents.[9] This CDC chart of opioid related deaths in the US gives some indication of the dramatic rise of the problem, and fentanyl’s role within it.

Figure 1  - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC) [10]

Figure 1 - Synthetic Opioid Drug Poisoning Deaths, per 100,000 of US Population 2011-2016, (Source CDC)[10]

In Canada, the problem is equally significant. In June 2018, the Canadian authorities reported that over 4,000 Canadians had died from opioid overdoses in 2017, a new record, of which 72% were fentanyl or pseudo-fentanyl analogs.[11] Outside of North America, there has also been a reported rise in deaths by fentanyl in Australia,[12] New Zealand[13] and the UK[14] over recent years, although rates do not yet appear to have reached US levels. The EU Monitoring Centre for Drugs and Drug Addiction states on its website that fentanyl is a more marginal problem in the EU, affecting primarily Estonia, Germany, Belgium and Austria. However, EU statistics show that opioids as a class are becoming a greater problem in Ireland, France, Italy and Portugal.[15]

 

The Mechanics of the US Trade

The DEA and Department of Homeland Security (DHS) believe that the primary source of the illicit versions of the drug is China - one of the most popular terms for a range of fentanyl analogs is in fact ‘China White.’ Laboratories run by Chinese organised crime gangs produce high volumes of fentanyl, which are then marketed to other transnational traffickers, including the Mexican cartels, who move the drugs into North America. Fentanyl flows across the Pacific to Canada and Mexico via mail order services and smuggling, where it is often mixed with other drugs, and then smuggled into the US via the north eastern and south eastern borders.[16] The drug often comes in a powdered form, or disguised as the tablet forms of legal pharmaceuticals, such as oxycodone and hydrocodone.[17] 

Fentanyl white paper_Map.png

The secondary source, and one of growing significance, is Mexico itself. In 2016, the DEA reported its suspicion that the Mexican cartels were ‘branching out’ into the production of fentanyl, using imported precursor chemicals from the US and China.[18] Over the last year this assessment has been confirmed by busts in Mexico, including one in December in the capital, that have revealed the existence of cartel-managed fentanyl labs.[19]

The mixture or ‘cutting’ of fentanyl with other drugs, such as cocaine or heroin, makes the combined hybrid drug even stronger and more addictive, and further help us understand why its market is so sustainable. First, selling fentanyl keeps the costs of the traffickers and pushers down, because a small amount, though dangerous and potentially toxic, is relatively easy to produce and ship, yet has extreme potency. Second, the potency of the drug, especially when combined with other narcotics, means that users become quickly and highly dependent, ensuring that the suppliers have a captive market. Some of the strongest markets for fentanyl are in US states that already have high rates of opioid addiction.  This is borne out by a DEA report indicating that many of the younger users of fentanyl turned to the drug once they could no longer obtain and/or afford illicit pharmaceutical opioids.[20]

The prospects of breaking this market in the short-term appear bleak. The problem has become so great that the US President, Donald Trump, has pressured his Chinese counterpart, Xi Jinping, to take action against the Asian end of the trade, most recently at the November/December 2018 G20 summit in Argentina. Although President Xi was supportive, it is likely to take some time before practical action occurs.[21] Moreover, recent Canadian requests to China for similar help have been less warmly met, largely because of ongoing disputes over the return of Chinese fugitives to Canada.[22] As long as the Canadian and Mexican gateways to the US remain open, the scourge of fentanyl in North America is likely to continue.

 

Fentanyl, FinCrime & FinTechs 

What role then for FinTechs?

 For the last five years, there has been media ‘hype’ about the roles that FinTech platforms might play in the purchase of illegal drugs. Payments providers have been put out of business because their platforms have allowed individuals to buy illegal items unimpeded. In 2013, for example, the US Department of Justice (DoJ) closed Liberty Reserve, a digital payment processor, for facilitating the sale of drugs and child pornography, while cryptocurrencies are of particular current concern. In June 2018 the US media reported a DoJ enforcement action named ‘Operation Dark Gold,’ to stop the darknet sales of drugs using Bitcoin and other cryptocurrencies. [23]

Our clients’ experience tends to be more prosaic than some of these more sensational media cases. As a recent FinTech FinCrime Exchange (FFE) survey of UK FinTechs demonstrated, most financial crime typologies experienced in the UK cryptocurrency sector were around varieties of customer fraud. Nonetheless, we still believe that FinTechs have a responsibility to take these issues seriously. There are potentially striking indicators that, in combination, should raise concern (see breakout box), and we would urge all FinTechs working in payments services, retail accounts, prepaid cards and crypto transmission and exchange providers to give them due attention in their financial crime investigations.

 
Fentanyl white paper_State count.png
 

●      Unusual Chinese transactions: Customers buying items from China, especially where this does not fit with the customer transaction profile or nature of businesses, along with multiple unconnected payments to a single individual in China;

●      Unusual health products: Firms offering apparently pharmaceutical or health products who demonstrate other unusual indicators such as those listed here;

●      High use of currency exchanges: Multiple payments from global currency and cryptocurrency exchanges, usually in small amounts; and

●      Tags and nicknames: Payments including nicknames such as Apache, China Girl and China Town, or precursor references such as NPP or ANPP.

 

For more details, contact FINTRAIL Solutions at contact@fintrailsolutions.com

 

At the same time, the case of fentanyl drives home the need for FinTechs to take a longer term view too about the types of business they are doing. As regular readers of the FINTRAIL and FINTRAIL Solutions blogs will know, we recommend some basic prevention methods that include active risk assessment and defined risk appetite. We have found that its critical for FinTechs to take basic risk management seriously from the beginning - asking themselves questions about the vulnerabilities of their product and the risks that opens them up to. If you think your company is vulnerable, then take action. Get the basics right. Because it is in no one’s interest to facilitate the sale of a drug like fentanyl.

 

If you would like to know more about how FINTRAIL Solutions and how we can help you and our business better manage financial crime risks, please contact us at contact@fintrailsolutions.com.


[1] https://www.rollingstone.com/music/music-features/musics-fentanyl-crisis-inside-the-drug-that-killed-prince-and-tom-petty-666019/

[2] https://www.cdc.gov/nchs/data/nvsr/nvsr67/nvsr67_09-508.pdf

[3] https://bnf.nice.org.uk/drug/fentanyl.html; https://adf.org.au/drug-facts/fentanyl/

[4] https://adf.org.au/drug-facts/fentanyl/

[5] https://www.dea.gov/drug-scheduling; https://napra.ca/nds/fentanyl; https://www.gov.uk/government/publications/controlled-drugs-list--2/list-of-most-commonly-encountered-drugs-currently-controlled-under-the-misuse-of-drugs-legislation

[6] https://www.independent.co.uk/news/world/americas/carey-dean-moore-fentanyl-capital-punishment-death-penalty-nebraska-execute-a8491671.html

[7] https://www.theguardian.com/society/2018/dec/01/dark-web-dealers-voluntary-ban-deadly-fentanyl

[8] https://www.cdc.gov/nchs/data/nvsr/nvsr67/nvsr67_09-508.pdf, p.1

[9] https://www.centeronaddiction.org/the-buzz-blog/we-asked-you-answered-did-guns-car-crashes-or-drug-overdoses-kill-more-people-2017

[10] https://www.cdc.gov/nchs/data/nvsr/nvsr67/nvsr67_09-508.pdf, p.4

[11] https://globalnews.ca/news/4282699/canada-opioid-death-statistics-2017/

[12] https://www.theguardian.com/science/2018/may/13/he-was-gone-fentanyl-and-the-opioid-deaths-destroying-australian-families

[13] https://www.newsroom.co.nz/2018/09/03/220753/drug-cartels-dealing-illicit-prescription-drugs-eye-new-zealand

[14] https://www.theguardian.com/society/2018/aug/06/fentanyl-drug-deaths-rise-nearly-third-england-wales

[15] http://www.emcdda.europa.eu/html.cfm/indexEN.html

[16] https://www.hsdl.org/?view&did=797265, p.70

[17] http://facethefentanyl.ca/?page_id=15

[18] https://www.hsdl.org/?view&did=797265, p.65

[19] https://www.washingtonpost.com/world/the_americas/mexico-raids-lab-producing-fentanyl-in-capital/2018/12/12/fd21ee18-fe55-11e8-a17e-162b712e8fc2_story.html?noredirect=on&utm_term=.06db3fad0ad1

[20] https://www.dea.gov/sites/default/files/2018-10/PA%20Opioid%20Report%20Final%20FINAL.pdf, p.28

[21] https://edition.cnn.com/2018/12/01/politics/fentanyl-us-china-g20-talks/index.html

[22] https://globalnews.ca/news/4658188/fentanyl-china-canada-diplomatic-tensions/

[23] https://www.theverge.com/2018/6/27/17509444/dark-web-drug-market-money-laundering-hsi-dark-gold

2018 and 2019

Fintrail visual identity v1_Mailchimp header 1819.png

As we head into 2019, here is a summary of 2018 in numbers.

44895fb2-88c0-427e-8797-041c24a58cdb.jpg

We welcomed James and John-Paul into the FINTRAIL family.

f781b957-08db-4b7f-b4d8-966845e9cbc5.jpg

John-Paul will be leading the FINTRAIL and FFE communities so that Fintechs can collaborate on best practices in financial crime risk management.

James Nurse BW.jpg

James joins us to provide industry expertise all of our projects across a wide range of subjects and specialisms.


We launched the FFE in the USA

As the FFE continues to grow and support its members in the UK and the Netherlands, we launched the FFE in the USA where we will be connecting the community to support the specific needs of American Fintechs.


We held our first FFE conference in London

Over 100 representatives from across the Fintech community spent a day discussing and sharing ideas on the theme of...
 

‘Disruptive Perspectives on Financial Crime’ 

Which was a huge success with over 100 Fintech experts meeting for a day of learning, sharing and networking.

Fintrail’s Gemma Rogers is Fighting Financial Crime for Fintech’s Sake

Fighting financial crime is TFT’s Wonder Woman this month, Gemma Rogers, CEO FINTRAIL. She speaks to Zoya Malik about using regulation in an innovative way to protect fintech startups from financial crime by looking at their risk appetites and implementing control measures to stay the course.

(Gemma Rogers, CEO FINTRAIL)

ZM: What is FINTRAIL’s objective?

GR: FINTRAIL’s objective is to work with our clients across the Fintech sector to ensure they meet regulatory expectations and can effectively manage financial crime risks. We do this by helping clients understand the financial crime and compliance risks they may face and then work with them to deploy proportionate and effective controls. I believe fintechs have an important role in society and present huge opportunities, but with that opportunity comes risk that illicit and bad actors may take advantage of the new technologies and products to further crime – we work with our clients to stop that from happening. fintechs and challenger banks are unencumbered by legacy systems, data and processes, so can have an advantage over mainstream banks, making it a really exciting area to work in for passionate anti-financial crime professionals.

ZM: How are you advising fintech clients?

GR: We are a consultancy offering expertise on anti-financial crime compliance controls to fintech companies. Our approach with our clients is based on four pillars, Build, Scale, Assure and Solve. In terms of Build we look at what financial crime risks a company may face and ensure they have the right controls to manage them. In terms of Scale, we look at how new products or expansion plans may impact a client and also how controls can and should be scaled as they grow, providing additional capacity and support where and when our clients need it. With reference to Assure, this pertains to more mature fintechs where they require a 3rd party such as ourselves to test their systems and controls and determine that procedures align with regulatory compliance. In terms of Solve, we may come in where a firm has had a bad audit report or may have incidents of internal fraud. We help investigate these issues and advise on how to prevent them recurring in the future.

ZM: What is critical for fintechs in terms of setting up crime and fraud prevention controls?

GR: So, one of the main elements we focus on with our clients is the risk assessment: what this entails is a fintech truly understanding what specific financial crime risks they are exposed to.  What they are then able to do is focus the controls and preventative measures they apply on the risks that are most significant or where they have most exposure. This enables the fintechs to take a proportionate, risk-based but yet customer-friendly approach to how they fight financial crime, which can evolve as they grow their product offerings and business models.  

We also think it is vital that the industry benefits from collective learning and works together to fight back against the financial criminals. That is why we set up the FinTech Fincrime Exchange (FFE), a free members’ forum where we discuss best practices for fintechs, as well as the various permutations, or typologies, of what exactly financial crime can look like. Sharing information of this sort also strengthens the Fintech community’s stance against financial crime, ensuring that this sector plays its part in the global fight against financial crime, something that we are really passionate about at FINTRAIL.  

ZM: How are you advising clients on crypto assets crime prevention?

GR: We are really excited to be working in the cryptocurrency space.  There is a lot written about cryptocurrencies and their utility in financial crime schemes, and while there are risks, there are effective ways to mitigate these, just as there are in other asset classes.  When it comes into force, the Fifth Anti-Money Laundering Directive (5AMLD) will bring EU crypto exchanges and custodial wallets under the scope of ‘obliged entities’ for AML purposes. I believe this, and other recent regulatory developments is a really encouraging step forward, bringing crypto-assets into the mainstream and that the (hopefully proportionate) regulation will drive wider adoption and increase trust across all parties. Regulators want to see companies building controls according to their risk profile and this is precisely what they will want to see crypto related companies do. We are excited to be working with firms who are not only developing hugely innovative products and solutions but also taking a proactive approach to their financial crime risk mitigation strategies.

ZM: What will be new in terms of financial crime regulations and FINTRAIL’s business in 2019?

GR: We have recently expanded our business to the USA so we can offer fintech clients on both sides of the Atlantic access to specialist support, especially as companies are looking to expand and scale internationally. We will also be rolling out our services to Asia, in the early part of 2019.

Next year, Brexit will likely have an interesting impact on the Fintech sector across the UK and wider EU.  As such, we anticipate that FINTRAIL’s activities next year will include some advisory work for clients who are looking at how Brexit may impact their business and the changes in financial crime risk and compliance that may bring.

In the EU we are also excitedly awaiting implementation of the 5AMLD, which is in my view a welcome and positive sign that regulators are aiming to keep pace with the rapid technology developments that we are seeing among fintech and more traditional banking players.

Finally, we are going to be continuing the roll-out of the FFE network across the global fintech hubs in US, Asia and Europe to further expand the network of fintech financial crime professionals who are taking the fight to the criminals.

ZM: What has led your career to financial crime prevention?

GR: Having studied Russian and German at university, I started my career in national security in the UK, before moving into banking and realising that there was a huge crossover between the analytical skills required in government, and the skills needed to fight financial crime; when organisations are taking an ever more proactive stance against financial crime, and the need to be on the front foot to predict criminals’ behaviour is paramount having the ability to examine large amounts of data and set those findings into context is crucial.  Also, being able to understand the level of threat that criminals and crime types pose to different organisations is crucial when building out proportionate controls, and a prior career in national security was incredibly useful in that regard.

ZM: Do you think there is a lack of women entering this part of the industry? If so, why? What can bring them into the industry?

GR: I think the field is levelling out in anti-financial, largely because it’s such an interesting area to work in.  Plus the opportunities for progression are great, particularly in the Fintech sector where companies are taking their responsibilities around anti-financial crime seriously and as such the subject is getting a good amount of board and senior management attention.  Of course, more can always be done to encourage women to take up this career path: the Fintech Fincrime Exchange – a specialist industry forum for Fintechs to share and collaborate on financial crime issues – is proud to have signed up to the FinTech Parity Pledge to ensure we continue to have parity in our speakers; we already have an almost 50/50 split between male and female speakers, but we’re keen to do our bit to encourage this and promote diversity in FinTech.

ZM: What are your personal goals?

GR: Firstly, to ensure my colleagues and I at FINTRAIL are achieving our full potential whether that’s through having the right opportunities or through constructive, mutual feedback, and secondly that the Fintech community is equipped with the right skills and knowledge to fight financial crime effectively and efficiently. Tha was the goal behind the Fintech Fincrime Exchange Conference, that took place on 27 November 2018 where we aimed to provide some insightful content that disrupts traditional thinking around how to manage financial crime risks, and offered some practical skills-based sessions to add value to the ways in which Fintechs investigate and analyse financial crime issues.

ZM: Any concluding thoughts?

GR: Most importantly, we are passionate about fighting financial crime and the hugely negative impact it can have on society, customers and companies.  We like to think we can have a positive impact through our work with the inspirational teams and clients we work with in the fintech sector. We won’t solve financial crime overnight but if we all work together we can start to make a difference, building trust with customers, stakeholders and regulators at the same time.

Originally published here:

https://thefintechtimes.com/fintrails-gemma-rogers/

Do You Want the Bad News…?

The FFE and sponsor, the Regulatory DataCorp (RDC), have just released the FFE’s latest white paper on FinTechs’ use of Adverse Media Screening (AMS) .


In a survey of 39 members, the FFE found that over 75% currently use AMS as part of their compliance framework. Members used AMS throughout the customer life cycle and identified using the tool in support of investigations and SAR filing to be most valuable. Members found it most impactful when applied in a proportionate way, tailored to their specific financial crime risks.


The survey identified some issues, however. Members continue to struggle with the generation of high volumes of false positives generated by AMS, and were looking for more clarity from regulators on when to deploy AMS. Indeed, almost two-thirds of FFE members surveyed supported making the use of AMS a regulatory requirement, partly for clarity, but also to kickstart the RegTech sector into improving the accuracy of AMS solutions. While it is currently not an explicit  requirement for regulators in the UK, US, or EU, recent findings from the FCA have suggested that when well-executed, it can mitigate financial crime risks. Further guidance of this kind would clearly help FinTechs.


In the meantime, research and feedback from members suggest that the best approach is likely to be a proportionate one. To gain the most value-add from AMS, FinTechs should therefore employ it on a risk-based approach to gather the information most relevant to their risk profile, while making sure their solutions are regularly reviewed to ensure they operate at the highest level. If used judiciously, bad news can be good news for FinTechs.

FFE_RDC_AMS-01.png

To download the full paper, click here.

Sextortion: The Underreported Predicate Offence

Cases of sextortion are on the rise; however, as this type of crime grows in prominence, its relation to financial crime remains under-explored.

In May 2018, the National Crime Agency warned that tens of thousands of Britons were being targeted by ‘sextortion’ gangs. Reported cases have increased three times since 2015, and in July 2018, reports of a new, related phishing scam began making their way into our newsfeeds.

Sextortion is not a legal term and is used to cover a broad range of criminal activities. Interpol offer one of the best definitions, classing it as ‘blackmail in which sexual information or images are used to extort favours and/or money from the victim.’

Despite growing awareness from both a law enforcement and potential victim perspective, little analysis has been done on the financial crime implications of sextortion, which are potentially significant.

To help shed light on the subject, we explore three models here--detailing how they operate and what money laundering red flags you should look for.

The Phishing Scam

Over the past couple months, law enforcement agencies from around the globe and across the UK have identified a new scam whereby perpetrators email victims alleging to have hacked into their webcam whilst they were watching pornographic content. The perpetrators request sums ranging from USD$200 to USD$8000 to be paid in Bitcoin and have allegedly made USD$500,000 in total off of the scam thus far. Other phishing scams linked to sextortion exist as well, meaning funds firms might have seen laundered  - and would normally attribute to classic phishing scams - could in fact potentially be proceeds from sextortion. The likelihood of this could increase with time as the success of recent sextortion-related phishing campaigns becomes publicised.

Financial Crime Implications

  • Cryptocurrency payments-- payments relating to sextortion cases may be requested in cryptocurrencies, so efforts should be made to cluster and risk rate bitcoin addresses, and this information could be communicated with FinTechs whose customers deal in cryptocurrencies or who directly facilitate cryptocurrency exchanges and wallets.

  • Recurring payments to the same beneficiary-- the initial one-time payment could become recurring (though the value of each payment could change). Moreover, the payer and payee may have no other obvious connection outside of these payments.

  • New customers-- victims could be new to paying in cryptocurrency and may not use cryptocurrency exchanges outside of these transactions.

The Catfishing Scam

This type of scam is typically carried out through organised criminal efforts, where fake profiles of women are created and used to entice men into performing sexually compromising acts on camera that are then recorded and used as blackmail. Recent cases have seen such activity linked to Romanian crime groups and call centre-style establishments out of the Philippines. Some photos and videos used to create these women are assessed to originate from coerced activity.

Financial Crime Implications

  • Payments from victims--these could come through as FPS payments, and, like with phishing scams, could to be larger amounts followed by recurring payments of varying amounts.

  • Adverse media checks--some KYC details including contact information and residential address may be found through adverse media checks to be connected to alleged romance fraud, dating scams or catfishing.

  • Organised activity--as these types of sextortion scams are often centrally organised, network analysis can be conducted on suspect accounts.

The Blackmail Trade

Blackmail trading can be done through organised criminal groups or more decentralised networks. This type of sextortion typically targets women, and overwhelmingly women under the age of 18. In some cases, children’s sites have deliberately been exploited to find potential victims. It begins similarly to catfishing, with the victim being encouraged into sexually compromising activity, which is then used as blackmail to extort further sexual activity. When the perpetrator grows bored of the victim, they will sell the blackmail material (and by extension, the victim) to a buyer who continues the activity.

Financial Crime Implications

  • Perpetrator to Perpetrator payments--as the payments are for blackmail, amounts could be smaller sums (e.g., £50 to £200) that are one-off payments and may be done through P2P platforms as the parties may know each other. They could be less likely to recur.

  • Payment references--check suspicious payments for references to sexual acts, children’s websites and the name of a woman in a payment between two men.

In all of these cases, unlike other scams, victims rarely ever report the abuse. The implications can be devastating and have been linked to suicide and non-virtual sexual violence. Even when victims do manage to escape, the fear remains. More effort is needed not just to help potential victims protect themselves, but also to crack down on the financial trail behind these activities. The latter - if addressed correctly - has significantly more chance of identifying rings and perpetrators than relying solely on victims reporting crimes, and is another area where public-private partnership could be used to powerful effect.

If you’d like to further discuss this type of crime or other serious predicate offences and how they are financed, don’t hesitate to get in touch.


Why Swiss Plans To Relax AML Regs For FinTech May Do More Harm Than Good

At FINTRAIL we think the Swiss plans to relax Anti-Money Laundering (AML) rules for FinTech under a certain size may actually be a bad idea for the industry and cause those that take advantage longer term harm and complexity.

We fully recognise that for small and early stage companies, complying with AML and Anti-Financial Crime (AFC) requirements can feel burdensome however it comes with a couple of significant advantages. Firstly, embedding AFC at an early stage is not just about complying with regulations, it's about building a strong compliance culture from scratch: by creating a false pause in the need to do this frankly just makes the process harder when you do need to do it due to regulatory requirements. Secondly, by making people think about AFC from the start, they can build in controls, make product changes easily, and generally make AFC a contributing factor to a great customer experience. Removing the drivers to set up an AFC framework from the start will mean that companies start bolting-on controls, and - as we all know from the legacy institutions - that becomes supremely difficult.

At FINTRAIL we feel very privileged to work with dozens of FinTech companies who are at different stages of development and fall under a range of regulatory regimes: one advantage they all have over legacy institutions is that they are thinking about AML/AFC from day one. Is it hard to deal with regulations - yes, of course, but by building it into the very foundation of the company and product they end up in a much better position long-term. It is driving innovation and forcing people to think differently about AML/AFC, their customers and products, and embedding a strong AFC culture from the start that remains as agile as the product development itself. If you want to rapidly scale your business and have a genuinely effective AFC regime, bolting that on is not the way to do it.

Our view is that rather than removing the need to comply with AML regulations, regulators should be looking at how they can simplify the process of complying for those that are at an early stage of their disruptive journey. In our mind that is about providing far more education and support.  It would also give regulators the chance to simplify the language used in regulations to make them easier to understand and thereby implement, while not removing the spirit of what these companies need to become accustomed to dealing with as they scale.

Cryptocurrencies: Getting Serious About Financial Crime Risk Management

Key Points

 

 ·      Global policymakers have set their sights on cryptocurrencies, signalling that tackling the related financial crime risks is a major security priority

·      With the adoption of the Fifth Money Laundering Directive (5AMLD), cryptocurrency exchanges and wallet providers across the EU will soon face direct regulatory scrutiny and must ensure that they have appropriate financial crime risk management frameworks in place

·      In countries such as the US, where crypto-related AML/CTF regulation has already been in place for some time, regulators have indicated that they will intensify scrutiny of crypto businesses

·      Banks and other financial institutions are also facing pressure from regulators to manage their exposure to cryptocurrencies and related risks

·      The foundations for implementing a successful risk-based approach to cryptocurrencies rests on several pillars: conducting thorough risk assessments; defining risk appetite; cultivating staff competency and subject matter expertise; developing robust governance arrangements; developing, deploying and testing bespoke tools; and collaborating with industry peers

·      In this briefing, FINTRAIL explores how companies can successfully manage cryptocurrencies’ unique financial crime risks in an innovation-friendly manner


Introduction

 The EU’s adoption of the Fifth Money Laundering Directive (5AMLD) in July 2018 marks an important moment for cryptocurrency businesses across Europe.

By January 2020, EU member states must bring crypto exchanges and custodial wallet providers within the scope of their anti-money laundering and countering the financing of terrorism (AML/CFT) regulation.

The so-called ‘Wild West’ environment for crypto businesses is coming to an end.

5AMLD will put the EU’s crypto industry on par with peers in the US, where the Financial Crime Enforcement Network (FinCEN) clarified in 2013 that crypto exchanges are subject to AML/CFT regulation.

Many in the EU’s crypto industry have attempted to get ahead of the curve.

Even prior to 5AMLD’s adoption, some crypto businesses across the EU had implemented AML/CFT policies and procedures, demonstrating their intention to be responsible actors. Europol has noted that, even absent formal regulation to date, many crypto exchanges across the EU, ‘aim to comply with AML requirements regarding customer due diligence and transaction monitoring . . . [and] many have shown themselves to be willing and capable of supporting [law enforcement] investigations.’[1] 

5AMLD nonetheless marks a turning point. EU crypto exchanges and wallet providers can’t merely be compliant on paper or on a voluntary basis any longer. They will soon be expected to demonstrate to regulators that they are actively managing their financial crime risks in a proportionate and effective manner. Failure to do so could mean fines or other penalties for crypto businesses that fail to meet regulators’ expectations.

In countries where crypto-related regulations are already in place, such as the US, signs point to a climate of intensifying regulatory scrutiny. In March of 2018, FinCEN issued guidance stating that the exchange of Initial Coin Offerings (ICOs) falls within its remit. In April 2018, New York’s Attorney General’s Office launched an inquiry into the accountability and transparency of crypto exchanges, requesting that thirteen major crypto exchanges disclose information about the nature of their compliance frameworks, including their AML/CFT programmes.

It’s not only crypto exchanges that are coming under the microscope. Regulators are putting increasing pressure on all financial institutions to manage cryptocurrency risks. In June 2018, the UK’s Financial Conduct Authority (FCA) published a letter to firms in which it set out its expectation that banks and other financial institutions should evaluate and manage the crypto-related financial crime risks they face.

Beyond the US and Europe, from Canada to Japan to Australia and beyond, regulators are taking a closer look at the nature of cryptocurrency risks and how the financial sector is managing them. The Financial Action Task Force (FATF) is currently reviewing the applicability of global AML/CFT standards to cryptocurrencies, demonstrating the renewed will of global policymakers to tackle the perceived risks. 

In this environment, it may be tempting to find quick fixes and to address new risk management challenges with old compliance solutions.

Unfortunately, the same old approaches won’t work.

Cryptocurrencies present unique financial crime risk management challenges that warrant unique solutions.

 A thoughtful risk-based approach to cryptocurrencies requires thinking outside the box.

In this briefing paper, we share our thoughts about how firms in the crypto industry and in the broader financial sector can meet the challenge.


The Crypto Industry 

 

Crypto businesses need to keep in mind that ‘compliance’ is not just about ticking boxes.

Best practice in AML/CFT is about thoughtfully managing risk.

 A well-calibrated risk-based approach can allow a crypto exchange or wallet provider to establish a truly comprehensive financial crime risk management framework that protects the integrity of its business, reduces exposure to financial crime and mitigates regulatory risk.

We’ve identified five key areas that can help a crypto business build a best-in-class risk management framework. 

#1 Assessing Risk

 A well-designed risk based approach starts with a thorough financial crime risk assessment.

For crypto businesses, a risk assessment that takes account of the unique features and challenges of crypto products and services is essential.

What’s more, it is important to develop a risk assessment framework that is scalable and can be used to evaluate changes in risk exposure as a company grows. 

Current regulatory guidance, such as the UK’s Joint Money Laundering Steering Group (JMLSG), sets out factors to consider when undertaking a firm-wide risk assessment:

·      Geography – Crypto businesses should assess risks related to where they are located and where they offer services. For example, is a crypto exchange registered in a jurisdiction with a strict regulatory environment, and how does this operating environment impact its risk profile? Is the platform accessible from jurisdictions subject to international sanctions? Is the service available in countries with high levels of terrorist financing? 

·      Customers – A crypto business should also consider whether factors about its specific customer base could impact its overall risk profile. For example, does it have any customers who are politically exposed persons (PEPs)? If so, who are those PEPs and does their source of wealth present any red flags? Are customers who are nationals of countries associated with high levels of human trafficking creating accounts in large numbers, and if so, do those accounts present signs of unusual activity?

·      Product – A crypto business needs to consider how any product features might impact its risk exposure. Does the product enable the rapid conversion of fiat currency to crypto in a way that might prove attractive to money launderers? Is the product vulnerable to high value money laundering, or do its features present a risk of lower-value money mule activity that can be pervasive but difficult to detect?

·      Delivery channel – A crypto business also needs to think carefully about the risks related to how customers access its product or platform. Is it only accessible online? Or does the product involve Bitcoin ATMs or other physical infrastructure that customers can use?

In addition to assessing these general risk categories, crypto businesses should think carefully about the money laundering and terrorist financing risks that their specific offerings present.

For example, whether they provide an online exchange service, a crypto ATM network or crypto prepaid cards, crypto businesses will face unique money laundering typologies and criminal vulnerabilities that are highly specific to their business type. Recent cases suggest that criminals are becoming savvier in exploiting a diverse range of crypto-related products and services, seeking out platforms that allow them to engage in increasingly complex money laundering schemes. Developing bespoke risk management solutions requires understanding these typologies in detail.

Crypto business should also assess the financial crime risks around the types of cryptocurrencies they provide. For example, privacy coins with high levels of anonymity such as Monero may present unique risks and challenges. It may prove challenging to monitor customer activity where these coins are present. Crypto exchanges that offer privacy coins to customers need to be aware of the resulting impact on their risk profile.

It’s important to remember that a risk assessment process should be supported by a sound methodology that enables a company to understand the evolution of its risks over time. This should include:

·      developing a logical approach to measuring inherent and residual risks;

·      ensuring risk assessment findings are thoroughly documented and presented clearly to senior management; and

·      having processes in place for updating the risk assessment, in whole or in part, when new business lines and products are launched, geographical expansion occurs or other trigger events arise.

 

#2 Defining Risk Appetite

 When a business understands its risks, it can decide which risks it finds acceptable, and those it finds too high.

A financial crime risk appetite statement can allow a crypto business to scale and develop new products and services in a thoughtful manner that ensures commercial goals are achieved without taking on excessive risk. As the Financial Stability Board has indicated[2], a good risk appetite statement can achieve several goals, including:

·      setting quantitative measures that track exposure to key risks, enabling proactive mitigation of risks before they become unacceptably high;

·      establishing limits to risk taking so that staff have a clear understanding of unacceptable risks; 

·      defining staff members’ roles and responsibilities for mitigating risks; and

·      providing a baseline against which assurance functions can test that systems and controls are enabling the company to operate within its risk appetite.

By clearly defining the levels of risk they are willing to assume, a company’s senior management can establish a clear ‘tone from the top’ and foster a strong company culture. Failure to do so can result in a lax risk management environment that leaves the company exposed to reputational and regulatory risk.

 #3 Building a Compliance Team and Governance Arrangements

A strong company culture on financial crime is only possible if supported by a competent and effective team of suitably qualified AML/CTF compliance professionals.

Even the smallest crypto companies should ensure that they have adequately experienced staff who understand financial crime risks, regulatory requirements and appropriate control measures. To this end, it is important to make sure that staff have received appropriate training. As the UK’s JMLSG[3] advises, training should include ensuring staff awareness of:

 

·      the company’s risks, as identified in its financial crime risk assessment;

·      the company’s financial crime policies, procedures, systems and controls;

·      AML/CTF regulatory requirements applicable to the company, and the consequences of breeching those requirements;

·      the types of high risk customers the company encounters, and enhanced due diligence (EDD) measures that are in place to manage them; and

·      red flag indicators of suspicious activity specific to the company’s product and service offerings, and procedures for filing suspicious activity reports (SARs).

Larger companies should think carefully about how to structure their compliance functions so that risks are managed appropriately, and to ensure that senior management can monitor those risks over time. Compliance teams should be suitably resourced and visible within the company.

This may be accomplished, in part, by establishing financial crime risk committees that are comprised of senior risk and compliance staff and that review key management information to assess the effectiveness of controls and identify emerging risks. Robust governance arrangements can ensure that risk management functions are on the front foot against financial crime and are not merely reactive.  

#4 Choosing and Tuning Tools 

To be effective, a financial crime compliance team must be more than just impressive-sounding titles.

Compliance functions must develop and utilise effective AML/CTF policies and procedures whilst having access to systems and controls that are proportionate to the risks their business faces.

Policies and procedures should be developed with the aim of mitigating a company’s risks as identified in its risks assessments. This could include, for example, having in place specific EDD measures for identifying customers’ source of wealth where less transparent products or services are used.

Financial crime systems and controls – such as identification and verification tools, transaction monitoring systems and sanctions screening solutions – should be appropriately calibrated to ensure a firm can operate within its risk appetite.

Bitcoin ‘track and trace’ forensic tools have also been developed and are already assisting many crypto industry participants in identifying and managing risks.

These systems and controls should be subject to regular audit and testing to ensure they mitigate key risks and meet regulatory expectations. 

As JMLSG notes[4], effective systems and controls are generally characterised by factors such as:

·      alignment with regulatory requirements and expectations;

·      appropriate resourcing; and

·      competent staff operating the controls.

Whether a company chooses to undertake internal or external audit, it needs to be able to demonstrate that systems and controls are compliant whilst also enabling it to manage its risks in practice. 

 

#5 Working with Partners

 Strength is in numbers, and crypto businesses can bolster their defences against financial crime by sharing information with their industry peers.

At FINTRAIL, we’ve co-founded the FinTech Financial Crime Exchange (FFE), a partnership of over 50 UK FinTech companies, including several of the UK’s leading cryptocurrency firms.

Through the FFE, crypto and other FinTech companies can share information on financial crime typologies they encounter and best practices for prevention and deterrence.

Proactive involvement in industry partnerships, self-regulatory organisations and other similar platforms can enable a company to stay on the front foot against financial crime.


Other Financial Institutions

 

It’s not just crypto businesses that need to be aware of the changing regulatory climate. Banks and other financial institutions must be alert to the crypto-related risks they face.

As the UK’s FCA stated in its letter to firms in June 2018, ‘You should take reasonable and proportionate measures to lessen the risk of your firm facilitating financial crimes which are enabled by cryptoassets.’[5]

We’ve identified some ways that non-crypto financial institutions can tackle the crypto challenge.

#1 – Measure Risk Exposure

Banks and other firms should not just make blanket assumptions about the nature or extent of cryptocurrency-related risks they may face. A risk assessment and benchmarking exercise can assist in determining the extent of any exposure, whether direct or indirect, a firm may have to cryptocurrency services and users. For example:

·      a large bank undertakes a review of customer transactions to determine whether any customers are acting as unlicenced crypto brokers on sites such as LocalBitcoins.com;

·      a prepaid card provider conducts a review of customers’ spending patterns to determine which customers are buying cryptocurrencies from exchanges, and to understand the nature of that activity;

·      a wealth management firm conducts a risk-based review to determine whether any high net worth customers may obtain their source of wealth from cryptocurrencies, ICOs or other crypto-related products.  

 

#2 – Develop Risk-Based Business Strategies

 Having assessed the nature of any exposure to cryptocurrencies, a firm can begin to make informed decisions about the types of cryptocurrency-related activity it is willing to accept.

Understanding risks and assessing them in a thoughtful way can allow firms to move beyond knee-jerk de-risking of cryptocurrency-related business.

A thoughtful-risk based approach enables firms to maintain exposure to crypto activity and seek opportunities in this exciting new space without taking unnecessary risks.

For example, a firm can implement an approach that allows it to:

·      accept cryptocurrency activity that presents relatively low levels of risk, such as simple trading of Bitcoin on a regulated exchange;

·      engage cryptocurrency businesses that operate in certain jurisdictions but not in others that would present risks of sanctions breeches or other unacceptable activity; and

·      clearly articulate those crypto-related products and services it is not willing to accept so that staff are aware of activity that may not be pursued.

#3 – Cultivate Expertise 

Banks and other firms should develop knowledge of cryptocurrencies among their AML/CTF compliance staff, as well as among their financial intelligence units and investigative teams.

Training and ongoing educational opportunities on cryptocurrencies should be provided to key staff members, who will then be equipped to play a proactive role in managing risks in a thoughtful and truly risk-based manner.

Crypto-focused training can include developing staff understanding of:

·      relevant financial crime typologies;

·      available crypto-related products and services;

·      significant industry developments; and

·      the evolving regulatory landscape around cryptocurrencies.

 

#4 – Deploy Bespoke Controls

It’s important to avoid the temptation to treat cryptocurrency risks like any other financial crime risks.

Cryptocurrency risks warrant bespoke approaches.

When assessing the risks around customers or transactions involving cryptocurrencies, firms should measure risks considering the unique circumstances of the situation.

For example, if a pre-paid card customer is observed purchasing cryptocurrencies from an exchange, it may help to understand if that exchange has a sound reputation and is subject to regulation before deciding if the activity is acceptable or not. This requires having in place a carefully designed methodology for assessing the risk factors around cryptocurrency exchanges.

Developing an effective control framework can also include considering whether to utlise cryptocurrency forensic tools for monitoring customers’ crypto activity or for use in conducting complex investigations in support of SAR filings.

What’s important is that these controls are designed and deployed in a thoughtful manner, and tested to ensure they work effectively.

 


Summing Up

 

As regulators take a closer look at cryptocurrencies, firms must take the initiative and ensure they are managing the financial crime risks.

Whether you’re a cryptocurrency exchange, retail bank, FinTech or other financial institution, the time to begin building a robust crypto risk management framework is now.

At FINTRAIL, we’re equipped to assist your business in its cryptocurrency risk management journey. Whether it’s

·      designing bespoke risk assessment methodologies and conducting risk assessments;

·      defining risk appetite statements and measuring adherence to risk appetite;

·      developing and delivering financial crime training;

·      establishing and supporting financial crime committees and other governance arrangements;

·      designing new policies processes, tools and systems; or

·      establishing audit and assurance arrangements, and conducting tests of systems and controls

 

Our team of consultants is here to help.

 

[1] Europol, From Suspicion to Action: Converting financial intelligence into greater operational impact, 2017, p. 18.

[2] See http://www.fsb.org/wp-content/uploads/r_131118.pdf

[3] See JMLSG, chapters 7.29 – 7.41.

[4] See JMLSG, chapter 3.35.

[5] https://www.fca.org.uk/publication/correspondence/dear-ceo-letter-cryptoassets-financial-crime.pdf

Geopolitics & Cryptocurrency

Cryptocurrencies have been a controversial topic in the FinTech space and wider financial sector in recent years.  Despite a reputation for higher financial crime risk, their increased popularity makes them difficult to ignore and financial institutions are looking for compliant ways to engage.  With evidence to suggest that sanctioned governments are using cryptocurrencies, a robust and responsive risk approach is necessary.

Korean Cryptocurrency

The divisions between north and south are complex, but at first glance it would seem South Korea leads when it comes to the FinTech sector, and more specifically cryptocurrency trading.  Along with Japan, they are regional leaders and South Korea is home to some of the world’s largest crypto-exchanges, including Bithumb and Upbit, with a disproportionate volume of trade passing through its markets.

There has appeared in recent months to be the potential for a thawing of international relations for North Korea, which has been under UN sanctions since 2006, and US sanctions from as far back as 1950.  In recent weeks there have been renewed calls from Kim Jong Un’s regime for an end to US sanctions, following the North Korea-US summit in June, where Donald Trump suggested an agreement could be reached.  But with latest UN reports suggesting the Kim regime is continuing to build their nuclear military capability, a lifting of sanctions is unlikely to happen soon. This makes any North Korean involvement in the relatively borderless market of cryptocurrency trading a cause for concern.  

As sanctions persist, the decentralized, interconnected and potentially anonymous nature of cryptocurrencies offers a portal into the international economy.  It is a way to circumvent economic restrictions that hold the country in poverty, and to continue to fund the country’s nuclear programme which is estimated to cost 30% of the country’s GDP.  Despite the hardship of ordinary people, Kim is himself worth an estimated $5 billion. An unsurprising fact, as North Korea is among the most corrupt in the world, currently 171 out of 180.  Much of Kim’s wealth is rumoured to be held overseas, making the illicit movement of funds a high priority and the under-regulated alternative of cryptotrading very attractive.  The difficulty of tracing the source of virtual funds, especially when trading involves private coins that anonymise the seller and buyer, is compounded when digital assets are exchanged for legal tender.  The dollars, euros or pounds can be entirely without trace of their suspicious origins.

The regime has also allegedly turned its hand to simple theft of cryptocurrencies.  Utilising established cyber capabilities, witnessed in such devastating international cyber attacks as 2017’s WannaCry ransomware attack, North Korea is the main suspect behind at least three successful hacking attempts of cryptocurrency exchanges within the past year. This includes the security breach of the Japanese exchange Coincheck in January, where an equivalent of $530 million worth of coins and tokens was stolen. It is uncertain how much of this reached North Korea, although some estimate the regime was in possession of $200 million worth of Bitcoin and other cryptocurrencies as of March 2018.

Russia’s Crypto Measures

Along with ongoing talk of a national Russian cryptocurrency, the CryptoRuble, that could potentially evade sanctions, another example of the growing interplay between state-sponsored financial crime and digital assets can be seen in Russia’s alleged meddling in the 2016 US election.  Last month, as part of the ongoing Special Investigation led by Robert Mueller into Russian active measures to influence the outcome of the election, 12 Russian nationals were indicted for hacking email accounts affiliated with Hillary Clinton, using cryptocurrencies in an attempt to cover their tracks.  

The perceived anonymity of cryptocurrencies made them the means of choice for facilitating this cross-border criminality.  However, in this case, they were in fact the means by which the criminals were identified. In the indictment, conspirators were identified using the same pool of bitcoin funds to purchase infrastructure that was used for the hacking, such as a virtual private network (VPN).  They also raised funds through bitcoin mining.

It also detailed how they obscured the origin of bitcoin they received:

‘this included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.  They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.’

As the indictment shows, attention to the mechanisms of virtual currency trading is increasingly relevant to the crime itself.  They laundered ‘the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies’.  The growing awareness and recognition of the intricacies of the cryptomarket by authorities, means the same will be expected of financial institutions. It was noted the 12 Russians used a mix of currencies including US dollars so the border between fiat and cryptocurrencies needs to be understood as an institution that believes itself to deal only in one or the other, is likely exposed to both.

Practical Steps for FinTechs

With over 1500 cryptocurrencies currently in circulation, a first step for a FinTech engaging with cryptocurrencies is to be aware of the relative risk of different cryptocurrencies, with the highest risk being private coins and of course coins created by sanctioned entities, such as Petro coin by Venezuela.

Weak KYC and verification processes on signing up for an account with a crypto-exchange is an important factor.   Weak KYC can be deliberately aimed at encouraging wider adoption, with minimal identification required, often with an ideological basis of preserving the anonymised freedom of the virtual realm.

Geography is central to assessing financial crime risk.  While the majority of exchanges have some restrictions in place for the jurisdictions they serve, usually in line with international sanctions, others such as Russian crypto-exchange Simex will allow a North Korean citizen to sign up for an account.

Regulatory status of a crypto-exchange is a particularly fast evolving risk factor.  There is a global move towards both self-regulatory organisations and the establishment of regulatory authorities.  However it is evident that exchanges with lower levels of regulation often have more users and more coins on offer. A lack of oversight that makes these platforms more vulnerable to financial crimes like money laundering, terrorist financing and yes, sanctions evasion.

Conclusion

While cryptocurrency trading continues to shift and adapt to geopolitical trends, FinTechs are excellently placed to respond to changes as they emerge. A comprehensive understanding of the unique financial crime risks surrounding cryptocurrencies and how this is situated in its political landscape will allow firms to assess both the individual customer and their virtual funds in their full context.  Cryptocurrency trading is one weapon in the cyber arsenal of hostile states such as North Korea and this dimension of risk from sanctioned entities should be included by any FinTech looking to deal with crypto funds. As seen in the case of Russian active measures, proper controls can go far in tracing criminal use of cryptocurrencies, and - with the accuracy and permanence of digital transaction data - perhaps even more so than traditional currencies.

5AMLD - What To Look Out For

Just over a month ago, the final text of the Fifth Anti-Money Laundering Directive (5AMLD) was published, kicking off the 18-month countdown until it comes into play. Its precise, full impact is unknown for now, but it is expected to significantly impact the way governments, regulators and businesses in Europe have to approach financial crime risk.

What’s the rush?

This new directive followed the former surprisingly quickly in large part due to the rising popularity of digital currencies combined with the hysteria following the Panama Papers. Given it’s only been 2 years since the last AMLD was adopted (some countries are still trying to implement it), compared to the 12-year gap between the previous AMLDs, it is clear the European Commission is focused on reassuring people and businesses that they are on top of new and developing issues.

What does 5AMLD actually change?

The key change from the 4AMLD comes in the definition of “obliged entities”, increasing its scope to include virtual currencies, anonymous prepaid cards and other digital currencies. Previously, there have been no specific laws aimed to cope with the risks of virtual currencies and it’s clear that with this new directive, the European Commission is intent on making sure that virtual currencies do not become a safe space for criminality. It also shows clear signs of their move to increase the scope of the fight against money laundering (ML) and terrorist financing (TF), as criminals can take advantage of the anonymity of virtual and digital currencies.

The other key aspect of the 5AMLD is that it further clarifies the requirements and timings for the implementation of the required beneficial ownership registers introduced in the 4AMLD. Essentially, member states and the European Commission will be required to keep accurate and up to date registers that must be interconnected to the European central platform. This integration will allow for more efficient information sharing, making it easier to combat ML and TF.

Other features include the adjustments made to address Politically Exposed Persons (PEPs), expanding the definition and pledging to publish a combined list of EU and Member states’ lists of all prominent public functions. Traditionally, a “one size fits all” and “once a PEP, always a PEP” approach has been used, but this system is not adequately risk-based. The new regulations hope to address this issue by integrating a more nuanced and comprehensive approach to identifying and managing the financial crime risked linked to PEPs.

There is also set to be enhanced co-operation and information sharing among EU Financial Intelligence Units (FIUs) in the hope that this will make information more easily accessible and align with international best practices. FIUs across the EU receive broader powers under the 5AMLD as they will no longer need be limited to the identification of a predicate offence or suspicious activity report prior to filing an information request.

So, how to prepare?

With this new directive being introduced, here are a few things firms may want to consider in preparation:

1)    Virtual Currencies – 5AMLD will require obliged entities, i.e. providers engaged in exchange services between virtual and fiat currencies, to be registered and to comply with AML and CFT requirements. National authorities will be authorized to obtain all the associated information and regulate them accordingly. Exchanges that fall under the definition of an obliged entity will need to start benchmarking their existing frameworks against existing EU and jurisdiction specific AML & CTF controls and making any appropriate enhancements.

2)    PEP Categorisation – With changes being made to PEPs, firms may want to start thinking about how they categorise PEPs and how they apply different levels of monitoring such that when the new categorisation criteria come in, they are prepared

3)    Increased Reporting – Under new business ownership discrepancy rules, firms will be obliged to report discrepancies they find between the beneficial ownership information available in the central registers and their own registers. In the case of reported discrepancies, Member States will be obliged to ensure that appropriate actions be taken to resolve the discrepancies in a timely manner.

4)    Due Diligence Advances – 5AMLD will require a specific Enhanced Due Diligence list to be applied when dealing with high-risk countries defined by the European Commission. You should review and update your due diligence processes to ensure full compliance.

If you need any help scoping enhancements for implementation or indeed reviewing whether your current procedures meet the requirements of EU or jurisdiction specific requirements, FINTRAIL will be happy to offer assistance.

UK Suspicious Activity Reports (SAR) - Balancing Customer Experience in a FinTech

Suspicious Activity Reports (SARs) are familiar to many of us as the mechanism used by obliged entities to report suspicion of money laundering or terrorist financing to relevant authorities. However, the SAR process can cause some challenges for early stage FinTechs who are trying to balance regulatory requirements with transparent and customer centric service. It is something we get a lot of questions about, so we thought we would outline some hints and tips on things to think about.

In the asymmetrical game of whack-a-mole that is the fight against financial crime, SAR’s are a useful but sometimes imperfect tool for generating intelligence about financial criminals. Notifying the appropriate financial crime enforcement unit such as the National Crime Agency (NCA) when a Defence Against Money Laundering SAR (DAML) is required is not only the right thing to do but also usually a regulatory and legal requirement. DAML SARs, as the name implies, are reports that describe the most important facets of activity that could be regarded as suspicious and indicative of money laundering.  Their regulatory purpose can’t be understated, as they act a conduit between the events themselves, the handling of the questionable funds, and possible investigation by law enforcement.

However, the nature of SARs and the context they operate in can be challenging. This is especially true for companies and especially start-ups in the FinTech sector who are seeking to meet their regulatory and legal requirements while also providing a great customer experience. FinTechs are operating in an interesting era, where customer feedback on social media and review sites such as TrustPilot have tangible impact on the success of a product or service. They also provide a challenge to financial crime teams and those responsible for public relations (which we discuss below).

We aren’t going to dive deep in to the overall requirements of the SAR regime in this blog, we would be here for some time! Instead, we will focus on a few practical tips for FinTechs to consider when balancing customer experience and their regulatory and legal requirements. Wider SAR guidance is available from the likes of the NCA and the team at FINTRAIL are always available to offer advice.

1.    It will happen

The first thing we stress to our customers who form part of the reporting regime is that, at some stage, you will to have to deal with a customer and the SAR process. You are better developing a simple internal process before it happens. Think about what your team needs to do when dealing with a customer subject to an investigation before you have the additional pressure of them asking for answers. Equally, ensuring you have clear customer off-boarding/exit process will also ensure this is done in a timely and fair way. Once you have a process established, ensure your team is well trained and understands the risks and challenges associated with customer investigations.

2.    Don’t Panic

The language around SARs and things like “tipping-off” can be intimidating, especially when you see terms like criminal offence. Don’t panic about this. By doing step 1 first you will be able to make sure you meet your obligations. No one is perfect, and mistakes sometimes get made, just make sure to learn from those opportunities.

3.    Have a strategy for customer engagement

It’s well known - particularly in the FinTech community, where customer interaction is vital, immediate and direct - that some of those who engage in financial crime are wily and tenacious. They can be hostile in their communications once transactions are blocked, or accounts are suspended pending investigation or the submission of a SAR. Those who must deal with them are presented an unenviable operational challenge: they cannot give anything away that would make the criminal suspect they are the subject of investigation/SAR (“tipping off”), but nor can they lie and treat the customer unfairly.

Each instance is different, but there are some suggestions that are practical for most encounters:

  • Don’t ignore customers, as positive engagement is a better strategy than ignoring them. Be polite, professional and responsive but have a clear line and stick with it.

  • Proactively provide your customer ops or support teams with standard lines or approaches to take in response to customer enquiries. Make sure they have training on these approaches and they are broadly consistent.

  • Trust in your policies and processes, they are there for a reason. However, if you find something has gone wrong make sure you capture the reasons and put it right.

  • Do not be swayed by threats. This is a tactic we have seen used on several occasions to try and force a response from the obliged entity and put those people dealing with them under increased pressure.

  • As an organisation, you should have a zero-tolerance policy to harassment or intimidation and if this occurs you should immediately involve your local law enforcement.

  • Just because they are subject to a SAR doesn’t mean their rights as a customer are suspended. Refer them to relevant departments, such as complaints, in the appropriate circumstances.

  • Sometimes it’ll be necessary to move the case up the chain to someone on the team with greater authority or more knowledge of the situation. Knowing when to do this, and when not to, is important.

  • Be responsive on social media and to customer reviews. The compliance/financial crime and PR/social media teams can collaborate to standardise responses to negative feedback from customers on the back of investigation or exit process, without the risk of tipping-off.

  • However, do not get dragged in to drawn-out back-and-forth with customers on social media. Provide a clear, well-judged and visible response but do not allow them to bait you.

4.    Write clear and accurate SARs/DAML SARs

In the UK especially, the NCA receives hundreds of DAML requests every day and thousands of SARs. To help law enforcement process those requests as efficiently as possible and therefor provide you with the response you may be requesting, it is important to ensure you follow guidance and provide complete, well written and concise SARs. Equally, make sure you follow relevant guidance on when and when not to file a SAR or DAML SAR to avoid over filing and creating unwarranted operational challenges.

 

Without a doubt, SARs perform a valuable function, and they have proven their worth countless times by helping to start and inform investigations into criminal activity. However, the SAR process can cause operational and customer challenges that if considered before they happen, can be managed efficiently while still maximising a great customer experience.

GDPR Principles: Vetting Data Processors In A Digital World

GDPR no longer needs any introduction, and here at FINTRAIL, we loved collaborating with the team at Jumio to help them launch their GDPR e-booklet, which you can download here.  

Together, we came up with 5 key principles that we think best help data controllers understand the activity of their online identity verification providers, and whether or not they’re fully GDPR compliant. Data processors in this space handle vast amounts of sensitive, personal data that, while integral to ensuring customers are who they say they are, can also be exploited or mishandled.  As such, GDPR compliant practices are key.

In brief, these are the main questions that controllers can ask of their processors which will help frame their thinking on this important aspect of compliance:

  1. Human Review: How are verification decisions made and what recourse do data subjects have to challenge those decisions?

    • GDPR gives individuals the right not to have significant decisions made about them solely on the basis of automated processing.

  2. Compliant Machine Learning: Does the data processor employ Compliant Machine Learning?

    • Under GDPR, vendors can only develop specific AI models trained on the data of a given customer and cannot leverage data from other customers to create more comprehensive models.

  3. Data Retention: Can data retention policies be tailored to your business requirements?

    • Clear processes around data retention and deletion help processors and controllers deal with the stipulations around Subject Access Requests.

  4. Data Breach Notifications: Do you have a data breach notification process in place and has it been tested?

    • Processors, as well as controllers need to be able to inform relevant parties of any data breach in a timely fashion; having clear and verified processes around this is one step in the right direction.

  5. Data Encryption: Is personal data encrypted and protected appropriately?

    • Proper data protection and encryption reduces the likelihood of a breach and increases the privacy of citizens’ information. GDPR stipulates that personal data is properly protected.

You can read more detail in the e-booklet of course, and find out even more information about GDPR, its implications for processors, how best to approach these questions, and exactly how Jumio is helping controllers maintain and manage their GDPR compliance through its innovative identity verification solutions and careful approach to data privacy.

Cryptocurrencies and UK FinTechs: Perspectives and Experiences of Financial Crime

The UK FinTech FinCrime Exchange (FFE) has just launched its latest white paper on FinTech perspectives and experiences on the nexus of cryptocurrencies and financial crime.

Cryptocurrencies experienced a meteoric rise in both value and popularity at the end of 2017.

While the value of popular cryptocurrencies such as Bitcoin has declined, interest has remained. International governments have been slow to regulate the emerging market, and many in the traditional financial services sector and wider public have expressed concerns related to the ability of cryptocurrencies to facilitate financial crime.
This paper answers the following questions: how does the UK FinTech sector perceive the risks associated with cryptocurrencies, and how are they managing the challenges related to this new disruptive technology?

Our research suggests that while some UK FinTechs have considered engaging more with cryptocurrencies, perceived financial crime concerns, the need for meaningful AML/CTF controls and the lack of regulatory clarity have fostered an attitude of caution.

We found that perceptions of financial crime risk associated with cryptocurrencies differed from actual experiences of FFE members.   These perceptions had a disproportionate impact on how Fintechs chose to engage with cryptocurrencies, limiting their appetite for extending their exposure, and for some, that of their banking partners.

The paper recommends that FinTechs not be deterred by the challenges associated with cryptocurrencies, as financial crime concerns can be managed through tailored, risk-based anti-financial crime tools, and a solid understanding of any areas of concern through a detailed risk assessment process. Regulators as well as law enforcement actors should collaborate more with FinTechs in order to improve the broader understanding around cryptocurrencies, financial crime and new regulatory developments.

More detailed findings are presented in the white paper.

For more information on the FFE or on cryptocurrencies and financial crime, please contact the FFE Admin.

FFE Expansion - Holland

FINTRAIL and RUSI, in partnership with Holland FinTech and bunq, are pleased to announce the launch of the Dutch FinTech FinCrime Exchange (FFE NL)!

The FFE NL is a local network connecting the Dutch fintechs to enable sharing of information and typologies, to help strengthen the sector’s ability to detect and counter the global threat of financial crime. The launch of the FFE NL also marks the FFE’s first step toward global expansion and the development of an international, interconnected network for financial crime information sharing.

The initiative leverages on the success of the FinTech FinCrime Exchange (FFE) UK and builds on its best practices, while also connecting local actors.  The FFE UK is a member organisation of over 45 of the UK’s leading FinTechs, who share information and financial crime typologies and controls. The FFE network produces white papers to exchange best practice on financial crime risk and compliance mechanisms, and share experiences and inform relevant stakeholders in law enforcement, government and regulatory bodies.

The global scope of financial crime and the shared threats faced by all major FinTech hubs particularly underscore the need for the FFE NL, which will give its members not only a trusted place to exchange information, but also access to an increasingly far-reaching network of resources and perspectives.

The first FFE NL meeting will be held on 30 May in Amsterdam, designed to align with the ACAMS 14th Annual AML & Financial Crime Conference Europe.

The FFE network is currently free for members.  For more information on FFE NL or to register interest in membership, please contact ffe_admin@fintrail.co.uk

The FFE was founded in January 2017 by FINTRAIL, a financial crime risk management consultancy, and the Centre for Financial Crime and Security Studies at the Royal United Services Institute (RUSI). 

Investment Due Diligence: Leave No Stone Unturned

Due diligence - a term bandied about readily with much confidence across many different sectors - broadly accepted as a process that underpins a thorough and confident appraisal of a specific business proposition, perhaps a significant merger, acquisition or other investment. At its most effective, due diligence arms a business with the facts it needs to make confident, astute decisions. At its worst, poor due diligence muddies already murky waters and potentially guides businesses down the wrong path.

To avoid the latter outcome, it’s best to avoid an off the shelf, one-size-fits-all process and instead adopt a bespoke approach that accounts for all inherent risks associated with a particular proposition.

Venture capital (VC) investment in FinTech - a booming industry - is a case in point. VCs have to understand complex business models and cutting-edge technology to pinpoint viable investment opportunities. Armed with millions, or indeed billions - $1.8billion was raised by UK FinTechs in 2017 - and facing fierce competition from other VCs, the panoply of risks presented by startup FinTechs could appear daunting.

VCs will often feel most comfortable assessing the viability of the business model, legal and financial aspects and will engage experts to evaluate the technology. That makes perfect sense. The success of a FinTech largely hinges on a successful combination of those areas and, more often than not, those are the risks most familiar to VCs. However, other stones sometimes remain unturned..

People risk is often overlooked or considered addressed through a simple criminal background check. With the wealth of information sources now available it’s perhaps remiss not to take a closer look at those who you’re investing in. Start-up scams are not uncommon in Silicon Valley; an early 2017 Fortune article explored the sector’s “unethical underside”. Are the founders who they say they are? How accurate are CVs and other stated accomplishments - the CEO of Wkriot pleaded guilty to fraud last month. Have failed attempts to fund other start-ups been disclosed, what about other initiatives that crashed spectacularly? Are other business interests in play that conflict with those of the VC? Many a business leader and politician have fallen foul of skeletons discovered in cupboards they’d long since forgotten about.

How about the culture of the firm? Is there evidence of unethical practices in the founders’ previous businesses? What does social media tell us? The merest hint of unethical behaviour could have a huge impact on culture of the firm, which in turn could lead to corners being cut, regulations not properly adhered to and risk decisions ignored or taken well outside of risk appetite.

Thorough due diligence of a FinTech couldn’t be considered complete without a close look at how its offer might be exposed to financial crime risk. The fledgling nature of the firm will mean a full risk assessment isn’t possible, but early inspection of the proposal will allow for an early judgement to be made on the type of controls and framework needed to deliver a compliant and secure product.

An effective due diligence exercise should alert a VC or other investment firm to concerns in any of these areas. However, if risks go unflagged through neglectful or absent due diligence they hold the potential to manifest further down the line with grave consequences for the VC and other stakeholders.

FINTRAIL would be delighted to discuss structuring a bespoke due diligence process for any aspect of prospective investments. Our team have deep experience in conducting due diligence for global banks, investors and government agencies and have a wealth of cutting edge tools at our disposal.

A Step in the Right Direction Toward Mitigating Cryptocurrency Risks

It’s a truth universally acknowledged that cryptocurrencies have the power to create a more dynamic, mobile and accessible financial ecosystem, and the enormous potential of the underpinning distributed ledger technology (DLT) for application outside the financial sector is nowhere near being realised.

But as with most great strides in innovation, there are concerns and risks to address, understand and mitigate as early as possible. FINTRAIL has a keen interest in this fast-paced arena and is working with the UK FinTech FinCrime Exchange (FFE) to publish a white paper later this month exploring FinTech perspectives on and experiences of cryptocurrencies.

In the meantime, UK MPs are launching an inquiry into cryptocurrencies, including exploring the financial crime risks related to cryptocurrencies.

A government review of the need for cryptocurrency regulation is no surprise. The explosion of growth in the sector continues unabated. The German and French governments  have called for greater regulatory coordination ahead of November’s G20 meeting. And the US Securities and Exchange Commission (SEC) has described cryptocurrency as an “across the border priority.” The UK inquiry also coincides with news that seven of the UK’s largest crypto companies have formed a self-regulatory body, CryptoUK, with the intention of promoting best practice and working with the government and regulators.

The Treasury Committee will no doubt consider the late-2017 revision of the EU 4th Anti-Money Laundering Directive (4AMLD), known as 5AMLD that delivers a definition of “virtual currencies,” which include cryptocurrencies, for all member states to adopt in AML legislation.[1]

In addition to the definition, the 5AMLD aims to mitigate risks associated with the use of virtual currencies for terrorist financing. To do so, the 5AMLD extended the scope of “obliged entities”, which previously included financial institutions, accountants, lawyers, estate agents etc., to include cryptocurrencies and other related services such as exchanges and custodial wallet providers. This is significant as it acknowledges that cryptocurrencies and their supporting services carry the risks of money laundering and terrorist financing and that KYC policies, EDD controls and transaction monitoring are required alongside the immediate submission of suspicious activity reports to law enforcement.

While adoption of the new rules into national legislation will take time the principles of the 5AMLD and the obvious appetite from EU member states, the US and the cryptocurrency sector itself to bring about a more coordinated regulatory position, will inevitably play an important role in the deliberations of the Treasury Committee.

Regardless of the outcome of the inquiry, government scrutiny of cryptocurrency at a time when uncertainty and volatility pervade the sector is an encouraging development.

As to the 5MLD, further work is needed to ensure legislation keeps up with the high-tempo cryptocurrency risk landscape; however, for the time being, EU acknowledgement that cryptocurrency carries financial crime risk is a much-needed starting block.

 

[1] Virtual currency is not synonymous with cryptocurrency. Virtual currencies are tradable digital representations of value that are not issued by any government and don't have status as legal tender. Virtual currencies can have a central administrator (as in the case of services like WebMoney, or game-based currencies like World of Warcraft Gold); or they can be decentralised cryptocurrencies, which use cryptography to validate and confirm transactions.

Unravelling the Complexity of Multi-Jurisdictional KYC

Scaling up is a natural part of any FinTech’s journey. This typically involves the exciting opportunity of offering your product or services in new jurisdictions overseas. However, this growth comes with significant regulatory and practical know your customer (‘KYC’) complexity that may expose you to regulatory risk.

Here are some factors to consider when adjusting your onboarding policies and procedures to support customers from new jurisdictions:

Onboarding Portal

You may think setting up in a new country just means copying and pasting your current onboarding portal into another language. Unfortunately, it’s not that simple. Some countries may have different legal entity types or have entity types that do not translate directly. There are also different types of identification numbers in some countries that are given to sole traders and businesses, so make sure to request the correct number. Be careful to ensure your initial KYC questions are clear in all languages on your websites and apps to prevent customer confusion.

Identification

UK Joint Money Laundering Steering Group (‘JMLSG’)  guidance recommends asking for an individual’s name, date of birth and address. But be aware, some countries require more information! In half of the countries we’ve looked at, national identification numbers, like social security numbers, were required. Place of birth and nationality were other common identification asks in other countries. This could require several operational changes, from rewriting some of your procedures, to redoing parts on your onboarding portal.

Verification of Companies

In the UK, many FinTechs will verify the identities of legal entities against Companies House. However, there is no registry for sole traders. In other countries, it is important to check if there is a register for sole traders that should be used for verifying identities as part of KYC, as around two-thirds of countries we’ve looked at had some searchable registry of sole traders. Furthermore, other countries’ corporate registries may not be as easy to navigate as Companies House--requiring you to purchase certain documents or existing as one of multiple company registries. Third party providers should be checked to ensure they are accessing data directly from your jurisdictions’ registries. Understanding verification options for companies and sole traders is important for simplifying your operations.

Documents

In the UK, a primary government-issued photo ID includes a passport, identity card, driving license, biometric residence permit or firearms license. However, in several countries, a drivers licence is not actually considered a primary form of photo ID for compliance purposes. For secondary documentation, while a document from a bank or utility provider may be acceptable in the UK, this is not always the case in other jurisdictions.

Beneficial Ownership

While the 4th MLD made it a requirement for countries to have a publicly-accessible beneficial ownership registry, this is still slowly being implemented in some countries. Of the EU/EEA countries we’ve checked, a UBO register was only available a little more than half of the time. Many countries outside of the EU have shown very little progress on the issue of a publicly-accessible registry of beneficial owners. Not being able to refer to a public registry of beneficial owners may add unforeseen operational costs and considerations that should be taken into account to ensure a smooth rollout.

Directors

JMLSG clearly outlines requirements for identifying a legal entity’s directors and senior management when commencing a business relationship. However, the vast majority of countries we’ve checked do not have explicit policies around the identification of directors. Some may include directors in their definition of beneficial owners, however. This ambiguity could lead you to having to rethink your AML/CTF standard operating procedure on who to identify.

Certification

When information is not easily available to verify through eKYC or checks against a registry, you may need to request certified documentation. Be sure to know the professional bodies of accountants and solicitors in each jurisdiction you operate in order to check the status of whomever has certified your customer’s documents. This will help you avoid any operational hiccups down the line.

Expanding your business into new countries or regions is really exciting, but is not a simple or risk-free process. The amount of nuance and complexity involved in each jurisdiction highlights the need for assessing the financial crime and compliance risks posed in each jurisdiction where you plan to operate. Not only is it important to check for regulatory differences that may create operational challenges in different countries, but also to check areas for higher corruption, identity fraud, money laundering and terrorist financing risks in order to determine whether you need to rethink any parts of your KYC policy.

If you ever have any questions on or need any assistance with managing the financial crime regulatory landscape of a new country or jurisdiction, don’t hesitate to get in touch for more information.

ACAMS Certificate - AML for FinTechs

Today we are extremely excited to announce the launch of the brand new AML for FinTech certificate launched by ACAMS!

FINTRAIL have been working in partnership with ACAMS to bring this online training course to the FinTech community. The course has been designed for FinTechs by FinTechs to give delegates the knowledge and confidence to create and implement an Anti-Financial Crime plan for their organisation.

It covers:

  • Anti-Financial Crime (AFC) regulatory obligations that apply to FinTechs

  • The types of financial crime risks faced by FinTechs

  • Key components of a FinTech AFC control framework

  • Real-life case studies illustrating the risks and countermeasures applied

The first class starts on 21 February 2018 and will be run a number of times over the coming months. You can register to attend the certificate by visiting the ACAMS website via the button below.

Managing a Financial Crime or Regulatory Crisis

Dealing with a financial crime crisis - whether that be a backlog of suspicious reporting that has built up, facing de-risking by a partner or finding out that a sanctions process has been working ineffectively - can be an especially stressful time for clients, particularly if the issues could lead to regulatory intervention, potential losses or the restriction of banking or payments facilities.

This is not to mention the obvious and negative impacts that such a crisis can have on customer trust and the potential reputational impact; in many cases, it can be a matter of survival for the business and brand, where trust is hard won but so easily lost.

So, we wanted to share some insight on how our team approaches these tasks to help readers be better prepared and have a head-start if you find yourself in the position of crisis managing a response to financial crime issues.

  • Understand the nature of the problem. This sounds like an obvious place to start but it is absolutely critical to everything that follows. If you do not genuinely understand the root cause of the issue your are facing, it makes it very difficult to put in place a response that is effective and proportionate. So for example, if you are dealing with a significant up-tick in fraud or failings in AML or sanctions controls, you need to efficiently and effectively understand the nature of the problem so you can identify the core contributing factors and develop a proportionate response.

  • Develop a considered plan of action. Once you have identified the root cause/s of an issue, you need to ensure that you develop a response plan that is action focused and targeted on addressing those specific items as well as factoring in any linked or dependency tasks. For example, it is pointless implementing a new tool or process unless you train those involved in using the tool, otherwise you may just make things worse by increasing operational risk. It is worth bearing in mind that you must be able to demonstrate to your stakeholders that tangible action has been undertaken.  

  • Mobilise effectively. This covers not only how you engage the services of and mobilise external parties but also those internal stakeholders or your support network. This is a careful balancing-act against the needs of normal daily business. Depending on the nature of the issue, segregating resources to focus on the crisis can be most effective. Our view of mobilisation is making sure all those involved very clearly understand the issues at hand and are aligned to the common goal of solving the problem, and that those involved have the commensurate level of accountability and authorisation from senior management. This is no time for egoes or political wranglings.

  • Ensure transparency. We often get asked ‘what should we say to our bank partner’ or similar. Our advice is always the same and that is you should be transparent. In a crisis scenario, you are aiming to maintain the trust you have built with all your stakeholders and transparency and openness are key values underpinning trust. We can confidently tell you from experience that one of the fastest ways to make a difficult situation even worse is by developing an opaque strategy with your partners - when they find out, trust goes out of the window, making the situation far worse. Instead, communicating the issue, along with regular situation reports and plans for resolution will really help to continue the trust you’ve worked so hard to earn.

  • Accurate and effective communication. This needs to focus on the communication intra-team  but also the flow of information to wider internal and external stakeholders. In our view there is a big difference between communicating and communicating effectively. We define effective communication as ensuring the content is received, understood and a behaviour influenced, i.e. action is taken. Accuracy in communication and information is important in a crisis scenario and at times is an area that can suffer from the impact of stress. There are times when a 70% solution on time is going to be better than 90% that is late but accuracy becomes really important when you start to communicate with stakeholders, especially those externally. Accurate and simple communication (underpinned by high quality and accurate information) creates a sense of confidence that the situation is in-hand and under control.

  • Continuous Evaluation. Once you have expended effort developing a response to the issue or crisis and have started to execute, it is vital to constantly evaluate progress and impact. Has anything changed? If it has, what are you going to do about it, how and when? The re-evaluation should be ongoing but it is also a critical process once you get to a point you have achieved your objectives and exited the crisis management situation. A wash-up and/or de-brief is a vital activity as it captures lessons learned and facilitates organisational learning.

The FINTRAIL team has developed deep expertise supporting international banks, FinTech, payments and regulated sectors in response to financial crime or regulatory crisis scenarios, drawing on our capabilities across financial intelligence & investigations, compliance advisory, technology, legal and communications. Our multidisciplinary response team can mobilise rapidly in support of a client crisis, providing executive level guidance and peace-of-mind while also delivering operational impact, all backed up by a support network and follow-on technical capacity as required.

Tax Fraud And FinTech - What You Need To Know

Fintechs have been ahead of the curve in understanding certain criminal typologies thanks to the holistic and data centric approach they often take to tackling financial crime. However, there has been little focus on tax fraud as a criminal enterprise and how that may effect the Fintech community.

With the recent release of the Paradise Papers and Panama Papers, tax evasion and tax avoidance are back under public debate as governments and individuals ponder how best to ensure that everyone pays the taxes they owe. The data leaked by the Paradise and Panama Papers put into the spotlight the blurred lines between tax avoidance and tax evasion, which are often facilitated using the same complex mechanisms and can confuse our understanding of what is acceptable tax reduction and what is not. This has put international governments under pressure to address the growing consensus that tax avoidance and the exploitation of tax loopholes has gone too far.

For the Fintech sector, this means that in the near-to-medium future, our understanding of tax fraud and tax evasion could fundamentally shift. To stay ahead of the curve, we therefore have to ask ourselves: how does tax fraud affect Fintechs and what are our responsibilities in combatting it?

One of the major confusions around tax fraud, tax evasion and tax avoidance is the definitions used. So, here are some definitions to help us clarify the issue at hand:

Tax Avoidance: tax avoidance is reducing one’s tax burden within the letter of the law (but often not within the spirit of the law). Examples include tax deductions or establishing an offshore company or trust in a tax haven to reduce tax liability.

Tax Fraud: tax fraud, according to HMRC, is illegally avoiding paying taxes. It is made up of three components—tax evasion, criminal attacks and participation in the hidden economy.

Tax Evasion: tax evasion is one type of tax fraud concerning individuals or businesses who intentionally misreport information to reduce their tax liabilities.

In terms of regulation, tax fraud has never received the attention given to sexier crimes such as money laundering or terrorist financing. However, this is beginning to change. At the end of September 2017, the Criminal Finances Act came into force in the UK, which made companies more liable for failing to prevent tax evasion, including facilitating the evasion of UK taxes by international entities and facilitating the evasion of foreign taxes by UK entities. The best way for Fintech companies to avoid liability is through robust risk management and a strong compliance programme.

Not only are Fintechs more liable for tax fraud than before, but the problem of tax fraud is growing. The current gap between taxes owed and taxes due is £34 billion, half of which is due to tax fraud.

There are several ways that tax fraud can touch the Fintech sector, including:

  • Using Fintech products to collect bogus tax refunds or to facilitate tax fraud.

  • Using Fintech products to process funds derived from the hidden economy.

  • Using Fintech products to mask the origin of funds

So what can Fintechs do to protect themselves and reduce the negative social impact of tax fraud? Here are our recommendations:

1.     File SARs in a timely fashion. A quarter of all HMRC tax investigations are stimulated by SARs, so filing these properly is critical in the fight against tax fraud. You can also contact HMRC direct via the link here.

2.     Ensure robust onboarding and KYC policies to a) decrease the anonymity of the product and b) avoid liability in tax fraud cases.

3.     Impose reasonable transaction limits and limits on the number of accounts held in order to decrease the attractiveness of the product to tax fraudsters. Keep these limits under constant review based on changing typologies.

4.     Monitor relationships in an ongoing fashion and watch out for red flags such as

  • Suspiciously large transactions sent for ‘expenses’

  • Spending that does not reflect expected income

  • Unexplained payments into customer accounts from sources linked to work or employment

  • Multiple tax refunds coming into one account

  • Multiple transfers to financial institutions in high-risk tax jurisdictions

If you would like to discuss tax fraud further and learn about how FINTRAIL can help identify and combat tax fraud typologies, please do not hesitate to get in touch.