Antiquated transaction monitoring systems that assess Fraud and AML risk based on static, prescribed rules lack the ability to proactively evolve with customer activity within their institution, not to mention broader regional and cross-border trends.
However, with the introduction of artificial intelligence and machine learning into the newer systems of the present and future, do the compliance concepts and ideologies like the risk-based approach (RBA) of the past still hold up?
In this post, we’ll address how next-generation regulatory tech has gone from being a ‘nice-to-have’ to an essential tool for mitigating AML and terrorist financing (TF) risks, and how the risk-based approach has evolved as a result.
Taking a Risk-Based Approach in Money Laundering: A Primer
For financial institutions (FIs), the concept of taking a risk-based approach to anti-money laundering (AML) and counter-terrorism financing (CTF) has been in vogue since the start of the millennium. Pioneered by the UK’s Financial Service Authority (FSA), an RBA-guided strategy for designing AML controls was first introduced in the agency’s 2000 book, “A New Regulator for the New Millennium.”
Since the publication of the FSA’s visionary guide, the RBA concept has been mainstreamed by supernational compliance organizations like the Wolfsberg Group, the Financial Action Task Force (FATF), the International Association of Insurance Supervisors, and the International Organization of Securities Commissions.
For AML compliance defenders, the most impactful interpretation of effective RBA implementation stems from FATF’s 2014 guidance, which offers the following definition:
“A RBA to AML/CFT means that countries, competent authorities and financial institutions, are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.”
Beyond assessing the unique institutional risks posed to them by their customer base and lines of business, FIs also need to factor in the broader risks associated with the jurisdiction in which they operate. FIs must then segment and micro-segment the comprehensive constellation of risks identified after a preliminary threat-modeling assessment, triaging their vulnerabilities along low, medium, and high levels of compliance perils.
However, FATF notes that an RBA “does not exempt countries, competent authorities and financial institutions from mitigating ML/TF risks where these risks are assessed as low.” This caveat is significant because more sophisticated money laundering threats strategically camouflage their operations in business lines and jurisdictions perceived to pose low AML and CTF risks.
Accordingly, these types of conspiracies often enlist the use of nominees or frontmen, with ‘clean’ records that enable them to pass Know Your Customer (KYC) checks without issue. But even more relevant to defective risk-monitoring are the nascent AML typologies spawned by the pandemic, which led to a widely adopted hybridization between new cyber-enabled fraud and money-laundering tactics.
One way to get around such conspiracies is to develop collaborative data-sharing models . These ensure that post-KYC transactional behavior is accurately aggregated and shared among a cohort of financial institutions, synchronously alerting every member in the event of potentially suspicious behavior, such as in the case of account takeovers.
How AI Enhances the RBA Process
The new generation of Regtech AI service offerings have made significant enhancements to earlier deployments of the technology, which critics have framed as being more hype than substance.
But today, AI has become more intuitive and effective in analyzing high-dimensional big data (HDBD) sets, extracting unstructured or so-called ‘alternative data’ to make smarter risk decisions, and learning under uncertainty.
Examples of unstructured, or non-spread sheet, data that modern Regtech systems are able to ingest, read, and analyze ‘contextually’ in relation to other data forms include images, videos, audio, news reports, and sentiment as interpreted from text and even image assets.
AI and machine learning technologies increasingly being deployed in AML compliance environments include natural language processing (NLP), sentiment analysis, neural networks, image recognition, computer vision, graph learning, and network analysis.
Furthermore, identifying patterns under uncertain conditions specifically means that compliance IT engineers don’t need to manually encode prescribed rules and parameters into AI systems to identify previously unknown AML risks.
Instead, unsupervised anomaly detection algorithms, powered by fully autonomous machine learning code engines, can scan complex, disparate, and planetary-scale data banks to pinpoint the ‘unknown unknowns’ of suspicious financial behavior.
Recent studies conducted by Israeli data scientists conclusively demonstrated that modern unsupervised anomaly detection algorithms can meaningfully increase forensic and detection efficiency in AML and counter-terrorism finance (CTF) compliance scenarios.
Specifically, modern machine learning Regtechs have reduced the number of suspicious activity alerts by 40% and by establishing resolution priorities in alert clusters. According to Brooking Institute reports, this capability is transformative as the false positive rate in suspicious activity alert generation in AML exceeds 90%.
Furthermore, using supervised Machine Learning models to help categorize and prioritize amongst massive alert clusters. Beyond false positives is the risk of false negatives. More than risk alerts that get cleared, this goes back to the point about unknown unknowns. In the context of RBAs, consider that these processes will likely not detect threats in customers and business lines perceived by an FI to pose a low level of AML risk.
Take the growing threat of transaction laundering, for example, a reported $200-billion-a- year problem globally. Transaction laundering is a typology that typically involves bad actors “obscuring illegal products they are selling online via the willful misclassification of the merchant category codes (MCC) authorized by credit card companies,” according to risk advisory firm OODA Loop.
Deploying AI to Catch an Overlooked Attack Vector
According to a Thomson Reuters Legal report, the biggest “money launderers are the purveyors of counterfeit merchandise, illegal drugs, and sex services, as well as Internet casino operators who operate without a license.” Even when these illicit goods are sold “legally,” the illicit online business is still misrepresenting the true nature of the credit card payment, in breach of their merchant processing agreement (MSP) with their acquiring bank.
There is also the risk of non-existent goods, where money is exchanged under the pretense before anything actually being shipped. Although more sophisticated criminals will actually create the façade of having shipped something to establish a more credible cover and paper trail.
Given the mass migration of users to e-commerce and even mobile-first transactions during the pandemic, the transaction laundering threat has never been more acute. Amazon, which accounts for almost half of all retail e-commerce sales posting nearly $470 billion in net sales last year, also poses a significant transaction laundering risk. This risk is particularly acute with regard to counterfeit goods.
Consider that half of the entities selling Amazon items are third-party small business sellers (SMBs), which also proliferated during the pandemic – and not just on Amazon – but on less adopted online marketplaces like Walmart, eBay, Facebook Marketplace, and Wish.
The point is that legacy FIs applying traditional RBAs would fail to identify threat actors posing as legitimate online SMB vendors of seemingly harmless items like cleaning products, shoes, clothes, baby, office supplies, and other mundane products.
What’s more, growing supply-chain disruptions, compounded by geopolitical issues such as the war in Ukraine, could be used by threat actors as a believable cover to justify unusual price increases and such.
With Congress and the Department of Homeland Security placing heightened scrutiny on the transaction laundering attack vector, particularly regarding the counterfeit threat, the $1.9 trillion, (excluding digital piracy) acquiring banks operating without AI face significant risks. But a modern bleeding edge AML Regtech can help FIs better detect TL threat actors and perpetrators over increasingly sophisticated hybrid, digital fraud, and laundering typologies.
How Unit21 Can Help
Unit21's risk and compliance infrastructure solution removes the burden of costly transformation projects and engineering deployments for FIs seeking to create synergies in cyber-enabled financial intelligence (CyFI) gathering. Armed with stronger predictive and analytical financial crime intel, FIs can better design, refine, and adjust their risk-based approach as needed for the modern AML and CTF landscape.
In addition to instant SaaS deployment, vast composability that enables seamless integration with and data exchange with other risk analytics suppliers, Unit21 also offers clients the perfect medium between customization and automation. Highlighting the personalization of the solution, Unit21 provides customers with the ability to design RBA-specific rules and workflows that can be re-tuned and tested as the risk landscape evolves.
According to BAE Systems, 70% of banks today are looking to adopt a modern Regtech solution and establish CyFI synergies within the next three years. Facing a rapidly transformed, cyber-enabled financial threat landscape, where regulators and law enforcement monitor TL typologies even more acutely, Unit21 can help entities uneasy about their unknown unknowns develop more accurate RBAs.
Get in touch to see the platform in action.