Five lessons to learn from anti-money laundering failures
With big banks and digital challengers alike under pressure to tackle money laundering, MLRO Alex Nash shares five lessons on strengthening your AML processes.
Money laundering is the practice of “cleaning” dirty money to disguise its illegal origins. It’s a crime that flies under the radar by design and so it’s difficult to measure its true economic and social impact, but research by the United Nations Office on Drugs and Crime (UNODC) suggests that up to 5% of global GDP—a staggering US$2 trillion—is being laundered each year.
The fintech space is growing rapidly and new technology is making it easier than ever to move funds around the globe—and with every new innovation comes criminals looking for ways to exploit it. That’s why financial institutions of all sizes are coming under more pressure to strengthen their defences and step up their efforts to tackle money laundering. But despite regulatory bodies introducing stricter anti-money laundering (AML) rules and standards to hold financial institutions to account, many continue to fall short of their obligations.
Financial crime knows no size
Recently, banking giants HSBC and Natwest were hit with hefty fines for failures to comply with AML regulations. Digital challengers Monzo and N26 have also taken a reputational battering due to inadequate AML controls. And it’s not just banks coming under fire: fintechs, electronic money institutions, and payment service providers are also facing increased scrutiny. The message from the regulators is clear: regardless of size or stature, every financial institution must take its AML responsibilities seriously and make sure the systems and controls they have in place are fit for purpose.
“Systems and controls that are purposeful, efficient and courageous in identifying suspicious activity are vitally important; system and control failures, on the other hand, provide an invisible, illicit cover for criminals and criminal activity that affects the whole community, not only in this country but also beyond, and can erode confidence in the financial system.”
But today’s failures can become tomorrow’s successes when we seek to learn where we went wrong. By examining where financial institutions typically fall down when it comes to AML, fintechs can get a clear picture of where they need to strengthen their controls to protect themselves, their customers, and the financial ecosystem as a whole.
1. Know and understand your customer
Most banks and fintechs are aware of the critical importance of strong Know Your Customer, or KYC procedures—but it's still an area that a lot of them fail to get right.
Onboarding is ultimately a risk assessment exercise: you need to know the right things about your customer at the start of the relationship so you can make better judgments about their future activities. Many companies forget to take a risk-based approach: they may be gathering a lot of information about their customers up front, but it’s not necessarily the right information. A risk-based approach means that you understand the information you need in context of the product or service you are providing and the specific risks inherent to your business model. Aligning your risk assessments with your controls won’t just help prevent money laundering—it will also help improve your customers’ experience (see point 5 below).
Top tip: With a raft of new ID&V technologies on the market, automating KYC is now easy, accessible, and, crucially, scalable. But don’t just jump at the shiniest new tech solution—it’s also important to choose a vendor who understands the regulatory landscape you operate in and who can help you tailor their systems to meet your business needs.
2. Getting it wrong costs more than getting it right
As some big banks can testify, the time and effort required to remediate serious AML problems often far exceeds the time and effort they put into creating their systems in the first place. This is because things that seem like trivial problems can actually be extremely difficult to fix, and some fixes put in place to solve the original issue end up bringing more problems to light. This is also why the time periods required for remediation are typically measured in months and even years, not weeks.
This might be manageable (if disruptive) for large established players, but most small and early-stage financial institutions don’t have the resources to spend years battling the remediation hydra. Getting it right today is crucial, even if it requires a large upfront investment.
Top tip: Your business proposition may be unique; your compliance requirements are unlikely to be. The increasing standardisation of AML solutions means that partnering, rather than building, is often the most logical choice.
3. Embed proactive controls to prevent reactive mitigation
AML is not a one-off activity; it's a constantly changing process, especially in a high-growth fintech. Your products, your customers, and your operating environment will change, and so will the regulations you need to follow. This means that your systems don’t just need to work as expected now; they need to be able to adapt and scale with your business.
For example, if you were onboarding a company in 2019, you had no legal obligation to verify the identities of its beneficial owners. It was considered good practice, but smaller and growing institutions tended to stick to the basic requirements. When the 5th Money Laundering Directive (5MLD) launched in 2020, suddenly there was a significantly increased requirement for verifying the individuals behind the business. This is an example of how a minor shift in statutory instruments can have a major and relatively sudden impact on how you run your AML processes. If your system hasn’t been designed for adaptability, you can find yourself scrambling to meet your obligations.
Top tip: One fundamental rule of compliance is that requirements will change. For a more in-depth look at building compliance programs that can scale and adapt, check out Four tips for getting compliance right in fintech startups.
4. Make the right decisions with the right data
It’s critical to capture evidence of all changes in your environment and to revisit existing compliance rules to ensure they remain relevant. If you’re not keeping rigorous records of the data going in and out of your systems, you’re going to be making future decisions around those systems with incomplete information. Maintaining a full audit trail of the data that drives your decisions and the actions that result from those decisions is just as important as documenting the decisions themselves. This audit trail will not only support and verify future decisions, but also stand as important evidence of why a particular decision was made at a specific point in time.
Top tip: Your regulators and banking partners will demand accurate, transparent, and up-to-date reporting. Proving that your AML systems and processes are working is just as important as having the systems in the first place. If you can’t prove you did it, you didn’t do it!
5. Take a compliance-by-design approach
Your design and product teams need to be thinking about compliance as an integral part of the customer experience. If AML requirements are shoehorned into a product as an afterthought, it’s going to create more risk for your business and also negatively impact on the customer experience. The discovery phase of any product development process should include a full analysis of any applicable regulations and guidelines. Important questions to ask include:
- Are you collecting the right data?
- Does that data have a purpose?
- Are you using that data as part of your risk assessment of the customer?
- Does your product allow you to understand customer behaviour over time?
Top tip: Knowing what data is needed, and when and where to collect it, can impact your customer experience and market penetration. This requires deep domain and compliance expertise. Don't just look for vendors that provide you with capability—look for those with the domain knowledge to create complete solutions.
Putting AML at the heart of your business
At the end of the day, it shouldn’t take a huge fine to tell you something is not right with your AML controls. A proactive approach means you must have a complete understanding of how your systems and controls work, and testing them regularly to ensure they are adequate and fit for purpose, and fixing issues before they become catastrophes.
When AML controls are compromised in the pursuit of growth, the consequences can set your business back years. But more importantly, neglecting your AML obligations enables criminals and ultimately causes harm to individuals and communities. Money laundering may fly under the radar in many cases, but its victims are very real—and the best way to protect them is to put AML at the heart of everything your business does.