How fintechs can fight back with smart governance
By Connuil McEvedy - 04 July 2023 Connuil McEvedy is Chief Risk Officer for Shaype. He is a passionate proponent of the benefits of innovation and technology, especially real-time capabilities, to improve regulatory compliance and consumer safety. Connuil is based in Sydney.
Financial crime evolves quickly. Financial crime prevention does not.
In the past, criminal groups used physical locations and cash to launder their funds. Post-pandemic, financial crime is no longer onshore and cash-based; it's now offshore and cashless.
Age-old criminal playbooks are now delivered via technology. Everything old is new again - just faster and digital. When Aite-Novarica Group asked FIs about the trends associated with various forms of payment fraud attacks, 57% said that mule activity over real-time payment rails was up in 2022 vs. 2021, 71% said that consumer account take overusing real-time payment rails increased in 2022 vs. 2021, and 62% said that consumer authorized push payment fraud via real-time payment rails increased in 2022.
Scams are just the tip of the financial crime iceberg. The world filed more SMRs in 2022 than the year before and predicate offences continue to grow.
Regardless of the underlying activity, the priority is to make clean funds available for use. Hence, the adages of ‘who benefits’ and ‘follow the money’ are more relevant than ever.
Sharman 2011 identifies global diffusion takes place because states and institutions want to be part of the global system but not necessarily willingly; it is their concerns about the consequences of being left out that are the key incentive.
Here are some of the lessons we’ve learned at Shaype.
Financial crime prevention frameworks are evolving from general principles to specific activities
Expectations of compliance are often in conflict with reality. The reality is that AML/CTF professionals cannot prevent financial crime from happening. Rather, we can attempt to manage the impact of financial crime risks when they occur. This presents us with choices.
Our choices are powerful.
Different models, structures and capabilities reflect our choices.
Financial crime is executed because the systems, the procedures, the structures - due to their design, manner of implementation and operating effectiveness also introduce potential risk vectors.
Information, intelligence and utility are not the same - why are they different?
Information is data in a contextual, structured or narrative form. Care must be taken to avoid data overload which is always a problem; but data ignored or excluded because of capability, belief or analysis will cause problems later on.
Collecting information in itself does not result in obtaining intelligence. Almost anything in the financial services sector can be financial crime information, whereas intelligence is analysed information that supports decisions.
Intelligence must go through analysis and a complete process cycle before it can be acted upon.
This cycle should be designed to meet organisational or centralised processes, methods and capabilities. The process continually evolves in response to changes in social/cultural factors, technology, needs of consumer and producers and analytical skill.
Unintended consequences from demarcation
The problem of misaligned holistic approaches at national, supervisory, institutional and individual lines should be addressed calmly and openly. There is a need for appropriate and clearer divisions with correct oversight and escalation mechanisms. Demography and technology should have more weighting than geography when evaluating financial crime potential.
The national and international regime is also closely linked to foreign policy considerations as it relies upon the enforcement of economic sanctions and the targeting of economic activity of both non-cooperating countries and politically exposed persons. This contagion by real politik reflects studies and comments) regarding terrorist financing which shows how FATF pronouncements influence bank activity which in turn drives compliance across different jurisdictions on a fear of missing out not an innate desire to prevent financial crime.
Management of financial crime is addressed through regulatory tools, assessment of the precise and effective adoption of regulatory and supervisory rules and standards, consistency of reporting practices, the strict adoption of policies and the application of procedural standards.
Enforcement, on the other hand, is focused on investigations, confiscations and prosecutions.
Opportunity is a flexible characteristic of financial crimes and varies depending on the actors involved. Types of financial crimes committed can vary as much as the criminal organisations and individuals involved.
“These scams are designed to play on the victim’s emotions, resulting in the victim willingly sending money to the fraudster.”
Several scam attack vectors (e.g. bank impersonation scams, romance scams, tax authority scams) have developed to induce the consumer to turn money over to fraudsters voluntarily. These scams are designed to play on the victim’s emotions, resulting in the victim willingly sending money to the fraudster. The attack method successfully contravenes controls since those have been designed to detect unauthorised transactions, not those voluntarily sent by the genuine account holder as authorised push payments.
Conversely environments where internal controls, audit and risk management are effective will necessarily reduce windows of opportunity and, at the same time, raise flags and alerts with respect to irregular situations.
Unfortunately, where financial crime has occurred, whether willingly or unwillingly, the institutions have enabled it and their individuals have missed or ignored risks due to information governance and controls. This reflects reality and we must accept that we can only identify and respond with what we have right now but we must continually plan for the future.
The necessity to understand the mechanical and technological aspects of financial crimes after the fact is the key catalyst for change and prevention in future control and process iterations but this timing disconnect can have a multiplier effect until those changes are implemented.
Enforcement and prosecution are at multiples of time delay. Information, proof of crime, inherent differences and difficulties in intelligence and evidence lead to a fundamental mismatch and dissatisfaction between victims of crime, institutional exposure, social expectations, civil or criminal prosecution and potential insurance coverage.
Some initial discussions and actions include:
Enforce basic name validation and integrity checks for domestic payments as the first step while creating simple, appropriate compensation models. The ability to make payments faster cannot come without controls to support the stated goal of integrity in the payments system.
Review intelligence and information capabilities within institutions and sectors.
FOMO may be a key decision factor for immature individuals, it should not be one for financial institutions.
Continuing harmonisation of principles and common controls and information but integrated implementation at supervisory, institutional and individual lines will fail unless governance and clarity are enforced publicly and often.
Access to banking is seen as a right and a utility. Financial crime and maintaining integrity is a public good. Debanking by checklist is a lazy outcome but will continue unless governance and clarity override personal benefit or corporate rent seeking or profit taking. Implementing actions arising from recent AUSTRAC guidance should be a priority.
Simple questions on governance, methods, and personal behaviours by actors who are both performers and enforcers have not been answered. Behavioural, reward and performance management must be timely and aligned to events, not set annual cycles.
Material future challenges on technology, digital identity, privacy are the new vectors and these questions need to be addressed.
Professional maturity will not occur when underpinned by unnecessary secrecy, reputation management by checklist and seeking funding by ‘look what happened to x’.
If governance is how we hold individuals and institutions to account, and Royal Commissions and judicial reviews into financial services and casinos have identified clear and simple activities to improve oversight and governance of compliance, conduct, regulatory and operations risks. Why are we not doing it?
This blog is an edited summary of a keynote speech delivered by Shaype's Chief Risk Officer Connuil McEvedy at the Transform Finance FinCrime Summit in Sydney, Australia on Wednesday, 31 May 2023.
Connect with us to learn more about how we can provide fast, secure, and customisable solutions for financial and non-financial businesses and help you Shaype the financial experiences of tomorrow, today.