Fighting Cross-Channel FraudRegulators Expected to Push Monitoring to Enhance AML Tools
International ACH is no longer regulated through a "full compliance regardless of what it takes" attitude. A more realistic point-of-view is aimed at effective and efficient monitoring.
With global tensions heating up, concerns about globalization and money-laundering schemes have increased. The measures banking institutions and governmental bodies are taking are developing specialized watch lists and fraud and transaction monitoring solutions.
"There's a need for a more risk-based approach to monitoring institutions where a less advanced method was previously in place," says Zayd Sukhun, a certified anti-money-laundering specialist for EastNets.
Regulators want to make sure that institutions and businesses have closed as many of the gaps as possible to prevent fraudsters from getting away with fraudulent transactions. There should only be a few gaps that are extremely small, if any, Sukhun says. "It's not that you let one person slip through the tiniest possible crack that you couldn't have thought of before," he says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below]. "No, it's going to be that you had a lot of cracks in place and it's very easy for money launderers to launder money through your bank."
In handling international ACH transactions, it's important to have continuous staff training, implement intelligent events monitoring systems, and efficient handling of alerts.
During this interview [transcript below], Sukhun discusses:
- How extra due diligence, where know-your-customer measures are concerned, can make big differences when it comes to catching and thwarting money laundering schemes;
- Why regulators will be pushing stronger, real-time fraud detection more than they have in the past;
- How banks can get better handles on fraud trends by understanding international ACH and anticipating fraud vulnerabilities before they hit.
Sukhun is a certified AML specialist with more than five years of banking and compliance experience. He has given presentations about money-laundering at numerous international conferences, including the Arab Compliance Consultants conference, and is a senior product development manager for EastNets.
International ACHTRACY KITTEN: In previous discussions that I've had with EastNets, we've talked quite a bit about initiatives in Europe to curve cross-border fraud. In the U.S., where payments up until recently have been more isolated, concerns surrounding cross-border fraud have been less striking. That of course is all changing. Can you give our audience a little background about the role International ACH is going to play in globalization, the globalization of payments and some of the concerns the global industry faces where money laundering and fraud come into play?
ZAYD SUKHUN: I think the companies and businesses will ultimately make the judgment call as to what medium to use based on the price of transferring funds. Retail and the average "Joe" make a call based on accessibility. That being said, while expecting an increase for retail customers, it won't be the biggest. I think the real increase will be with the investment-side transactions such as overseas stock offering effects and the like. We can expect to see an increase in transactional activity from high net worth clients as opposed to normal, every day retail groups.
From a compliance point-of-view, I think that the biggest impact will be on the sanction screening side of things. From the AML side it's going to be more on the complexity which will need to be monitored and on the extra efforts of understanding your international clients such as other banks, individuals or companies.
KITTEN: When it comes to some of that understanding between U.S. financial institutions and institutions in Europe, or other parts of the world, where are we in the level of understanding? Are we working together pretty well from a compliance perspective or is more work needed?
SUKHUN: I think so. As far as the concerns the global markets will face from a regulatory standpoint, it's mostly going to surround the BSA and Patriot Act, and they expect an increase in cross border transfers, made by U.S. citizens immediately subject to the non-U.S. banks, to fall under the BSA and the jurisdictions which increase the risk for these foreign banks. But in most cases I think you're going to find that proper measures have already been taken for larger corporations that have already been dealing with the U.S. But we can expect significant increases in the volume of these transactions and subsequently alerts and combined resource requirements on an international scale so the same will apply to U.S. banks.
From your point-of-view there's going to be a need to beef up their resources for the expected increase in volume and traffic. Now naturally with the increased volume, there's a need for smarter monitoring. I feel that the U.S., EU and worldwide regulators tend to work together fairly well. They're pretty good about keeping information and bank secrecy acts in place to prevent information from leaking to external parties, unless there is a justifiable reason, like a search warrant if you will. But the regulators in the U.S. and EU now are catching up with banks and compliance. Before, it was a case where banks had a lot more resources so they were way ahead of regulators and compliance. In some cases they would almost teach regulators how to do proper compliance. Now regulators have caught up and are no longer expecting the "full compliance regardless of what it takes" attitude. It's now a more realistic point-of-view and they're looking for not only effective but efficient monitoring. This will in turn bring about a need for more specialized watch lists and fraud and transaction monitoring solutions, as well as a need for a more risk-based approach to monitoring institutions where a less advanced method was previously in place.
Political Unrest Impacts ComplianceKITTEN: What about when we talk about some of the political unrest that's taking place in certain parts of the world, most notably Northern Africa? How do you see that impacting some of the compliance initiatives that financial institutions, whether they're operating in the U.S. or operating overseas, will have to comply with?
SUKHUN: With regard to the recent issues that have been taking place, I'd have to divide my answer into two parts. The first refers to what I call shifted governments, such as Egypt and Tunisia, and the second refers to what I call shifting or turbulent governments, like Libya. For shifted governments, the domestic institutions need to be critical of outgoing monies and consider their own country as a high risk one, applying increased security to substitute for potentially less than governmental controls. This is essential because now all regulatory eyes are on these countries.
For shifting governments though it's the much greater paradox. Say for example you're a bank in Libya and a local politically exposed person, or a member of the government, wants to transfer money to a large weapons manufacturing country. Under the current government this is perfectly acceptable behavior because it's a country purchasing weapons for its own protection and its own army. But on the other hand there are direct moral implications related to this and the main confusion here being that the UN and international regulatory community is yet to impose sanctions on these countries, particularly following the U.S. sanctions on Libya which just happened. It becomes a question of which legislation trumps the other. Is it international or local government?
I'd have to say the main concern here is with corrupt politicians siphoning tax payer money out of the country, particularly to offshore tax savings. It will be difficult to tax and freeze. See, it's not illegal for banks to transfer money to or from PEPs that are not blacklisted. It just needs to be subjected to increased scrutiny. To be perfectly honest I would just recommend that foreign institutions be extra weary of transferring funds to and from these countries, and this applies to both domestic and foreign banks that are dealing with these countries. They need to apply enhanced due diligence practices and place these countries on what I like to call their international gray lists until international agreement can be reached as to whether or not these countries are sanctioned. Or pay particular attention to politically exposed persons, such as current and former politicians. This is more challenging with newly emerging politicians such as revolutionaries. Banks also need to enhance their auditors to make sure that in the future, if anybody comes and knocks on their door, they have sufficient proof and justification of their actions. But I think that cutting off these countries from a global economy can have substantially devastating long-term effects on already shaken global economies. It needs to be handled delicately. Just take the case of Libya and the sanctions. They're going to significantly affect the price of gas in an already struggling global economy.
KITTEN: I'd like to go back to something that you mentioned earlier just to expand on this a little bit, talking about European companies that might be impacted by sanctions in the U.S. Let's take a moment to discuss how sanctions in the U.S. are impacting some of these European countries. How familiar are European companies, would you say, with the Treasury Department's Office of Foreign Assets Control? OFAC administers and enforces economic and trade sanctions based on foreign policy and national security against targeted foreign countries and regimes, terrorists, international narcotics, traffickers, activities related to the proliferation of weapons of mass destruction and other threats. European countries doing business in the U.S. are coming up against very specific compliance mandates. What are the leading compliance issues and what steps are European entities taking to reply with those?
SUKHUN: I believe that most businesses are aware of OFAC, the details of which are only really understood by larger corporations that deal in significant volume and values with the U.S. It's very important for businesses that are dealing with the U.S., or any external country really, to fully understand the laws as they pertain to their case. For small owner companies without large legal and compliance departments, I'm confident that their banks would be happy to outline the requirements that they would be subjected to. It's a shame for a company not to plan ahead and have a deal ruined by a minor regulatory oversight.
Education in this case is a critical success factor for business. The challenge faced by European companies and banks alike is with the different levels of the sanctions. So for example Sudan, Syria, Cuba, Europe can deal with them as long as there are no U.S. dollars involved. Now all European banks are aware of U.S. regulations. Take HSBC for example. There is a 500 million pound fine pending. That is the largest fine ever to be leveled or proposed to be leveled. These guys have all received fines to do with payments tampering on sanctioned countries. Now EU banks are spending a lot of money to comply and this is especially true for the bigger banks that are in many cases spending more than the U.S. banks do, due to their size and geographical coverage.
There are many banks in the EU that are many times bigger than the U.S. banks so their expenditures are greater. The trick is with the fine print to these sanctions. Just to give you an example, if an EU bank has a French company as a client and an Iranian citizen is a 10 percent shareholder of said company, it's illegal for the bank to send a U.S. dollar transaction on that company's behalf or a transaction where more than 20 percent of the original goods are American in origin.
Judging by the recent fines and penalties, I'd say the top compliance issues are sanctions, compliance and sufficient watch list monitoring. There is currently an increase in regulatory pressure for tighter financing controls. It's almost as if these controllers run "cyclical flavor of the year" type stuff. Post 9-11 anti-terrorism financing was at the forefront. Then there was AML and now it seems to be switching back to ATFs. I think more and more regulators are stretching their jurisdiction as far as they can in an effort to control ATF and money laundering.
You can see this in the very recent case against Lebanese Canadian Bank, which is now a blacklisted bank. I think the EU feels it has a tight grasp on preventing money laundering within its borders and that they now need to ensure that the enemy is still at large and kept in check. You will find that European entities are now working diligently to ensure that external transfers are properly monitored and that efficient blacklist monitoring is taking place.
Privacy and ComplianceKITTEN: What about some of the privacy concerns and compliance concerns that come up when we talk about the U.S.'s Bank Secrecy Act? Are you seeing closer scrutiny with regulatory pressures and more penalties for non-compliance with the BSA where non-U.S. entities are concerned?
SUKHUN: Of course. As I mentioned earlier, the Lebanese Canadian Bank is a perfect example of the U.S.'s jurisdiction reaching far and wide because of the BSA and Patriot Act. Another frankly shocking example is that of the Swiss banks. Swiss banks are revealing American citizen information understood of persecution. That was for tax evasion, not even for AML or for sanctions monitoring. The BSA and Patriot Act have significantly changed the banking environment as we know it and they continue to surprise us all every day. If you want to look at it from a really technical point of view, if you read the fine print of something like the sanctions if I were a U.S. citizen and I own a bar in London and I served a Cuban a national mojito, technically with the fine print that's a breach of U.S. sanctions.
KITTEN: So how do you balance that? How do you know how far to stretch it or how far the umbrella could overshadow those types of transactions?
SUKHUN: I think regulators, in my opinion, are actually quite fair entities. They lay out laws and say just do your best to make sure that nothing fishy is going on. Regulators, you'll find, won't prosecute just any bank for any infringement. Where you'll find the issues arise and the prosecutions arise are when there are significant gaps in monitoring because money launderers are always going to be one step ahead, always. They are always ahead of the trends and we're always in their dust catching up on what they're doing and learning from it.
The thing is that regulators just want to be sure that you've closed as many of the gaps that you have and that any gaps that you might have are extremely small. I think that's what they're going to be chasing on people after. It's not that you let one person slip through the tiniest possible crack that you couldn't have thought of before. No, it's going to be that you had a lot of cracks in place and it's very easy for money launderers to launder money through your bank.
KITTEN: That's a good point that you raised and it's something that I did want to talk a little bit about. When we talk about watch lists, or some of the scrutiny that banks are putting on different transactions to determine that they're picking up on money laundering, can centralizing data and monitoring transactions in real time, such as through real time forensics, contribute to an effective anti-money laundering plan?
SUKHUN: I'm very glad you asked this question. I think centralizing data is an absolute must, and I think it's a shame that banks still don't realize the potential and the power of compliance KYC procedures. Compliance has always looked at it as a call center but when you know your customers and how they behave, which are regulatory requirements, you can more effectively target your customers and shape your products around actual known needs as opposed to what you assume your customer needs. Post event monitoring is needed. It's very rare for you to find a single transaction that you can point to and say this is money laundering. It's usually a string of transactions occurring over a longer period of time. So for real time monitoring it's an absolute must for international payments when it comes to sanctions monitoring and it's very critical for fraud prevention, particularly when you note that some fraud cases can take over a month to detect. And usually when its detected banks scramble and stop all operations.
Let's focus on fraud. If you have real-time monitoring, you want to use it for your sanctions monitoring and to a large extent for your anti-fraud prevention. But for money laundering it's not a case that it's real time, that you have to know right now that this is money laundering. You have a little bit of a leeway there, but definitely centralizing data is such a benefit. Centralizing your data and understanding your customers' needs and how they work will lead to better service which would theoretically reduce customer complaints and reduce the risk for additional fines such as the most recent RBS fine, where they are being currently fined by the FSA for not properly handling customer complaints.
KITTEN: We've talked quite a bit this morning about international ACH transactions and I'm wondering. With fluid political unrest, how will these issues that we're facing right now from a global perspective impact the way those types of international or ACH transactions are handled?
SUKHUN: I have to divide my answer into two parts on this one. The first is going to be with regard to the way that some financial institutions have already frozen some of their assets that they have for countries witnessing these uprisings. We already know that Mubarak's assets in the Swiss banks have been frozen. Now, especially in Libya because of the explosive U.S. sanctions, some banks may refuse to deal with these countries period just to get off the hassle if you will. And I wouldn't agree with that but due to the nature of OFAC regulations and the BSA, banks simply just want to avoid dealing with these U.S. sanctioned countries to avoid the risk. But it's very important to ensure proper KYC and to know one's correspondence and the compliance procedures, ensuring that you're minimizing these risks. If you just enact some extra due diligence and put these countries on your gray list when it comes to international ACH transactions, you're going to have more volume and you're going to have to be more careful with how you deal with those particular countries.
Cross-Border Fraud DetectionKITTEN: I'd like ask a little bit about fraud detection when it comes to international ACH. That would again just tie into centralizing the data. There wouldn't be anything special about the international ACH transactions.
SUKHUN: Fraud is a tricky beast. It's easy to plan ahead for but it will always catch you by surprise how some people commit fraud. As with any new accessible payment systems, the risk for fraud is immediate and fraudsters will try to use these systems to trick people into revealing their personal information and willingly hand over their money. It's critical for the global markets to grasp the methodology behind international ACH and try to determine ahead of time how it can be used for fraudulent activity and how best to prevent these activities.
The problem comes with finding the time to be able to do this. On top of their existing caseloads and requirement handling tasks, that's the real challenge. But I think that education of staff members on these methods and customers, especially a simple brochure, can go a really long way in this case. And speaking on education, the correspondence is going to be key to ensuring that the victims of fraudulent activity are kept to a minimum. That, real-time monitoring and when you get a new product, it's a good idea to keep an extra eye on it and maintain enhanced due diligence until you're at a level where you're comfortable with it. The increasing regulations are really going to be a challenge, but more specifically the implementation of these regulations is going to be the real challenge. I think there is a quick jump on the sales side of things for new products to try and remain competitive and provide a better service to the clients. It's important for banks to resist this temptation and perform the proper due diligence and anti-fraud planning. And that's going to be the real challenge, holding back for just a little bit longer to make sure we've done a proper job before we release the product.
KITTEN: I'd like to expand on that just a little bit, when we talk about making sure that we have everything in line to detect fraud and also to keep everyone in the loop. Language barriers when we talk about international transactions obviously play a role. So does processing, especially when we talk about mobile transactions, some of those emerging technologies that you touched on, as well as IACH. What steps should be taken to address AMO regulations, counter terrorism financing and know your customer, or KYC controls, when transactions cross international borders across numerous and perhaps emerging channels like mobile?
SUKHUN: It's really important for banks to understand the regulations of the countries they're dealing with. That I think is critical and what's more important is knowing your correspondence in these countries. If your correspondence happens to use you as an intermediary and sends a transfer that happens to be a little on the dodgy side, you can effectively be fined for this and your bank could be closed down. It's important to know your correspondence, know the regulations that you're dealing with, know the law of the implications of those countries and basically do your homework really well.
When it comes to language barriers from a sanctions point-of-view, the most obvious case, and one of the most critical and difficult things to manage, is when it comes to sanctions and blacklist monitoring. And that's from the point of view of names that are in other languages and the amount of permutations and spelling off of these names. Now I live in Jordan and Muhammad is the most common name here and in the world actually. And the different permutations and spellings of this name alone are vast. The key is you have to find an ALM system, or rather a sanctions system, that's sophisticated enough to account for said permutations. But I think what would help even more is for black-list providers, such as governments, to include as many known permutations and AKAs as possible to ensure that the blacklist checks for international financing and KYS controls are done effectively.
Just to summarize that point, it's important to know the regulations of the countries you're dealing with and know your correspondence very well. The best way to do this is people. The banks like to send out AML questionnaires to their correspondence. Do you have an AML system? Do you do sanctions, checking, etc.? Then more importantly, also have the sophisticated system you need in place to account for something like misspellings of names or AKA varieties.
Efficiency in International ACHKITTEN: Before we wrap up, do you have any final thoughts that you'd like to share with our audience as it relates to international fraud, the compliance issues that we've talked about today or maybe something that we haven't touched on that would be of interest to the audience?
SUKHUN: Regulators are now catching up with banks, compliance knowledge and expertise. Like I said before, it's no longer a case of "comply or die" if you will. It's now a case of you have to comply but you have to do it in an effective and efficient way. If you come and tell me that you have 1,000 staff members all manually reviewing your Swiss messages, wire messages or IACH messages going across, you could still get fined. You have to do it in an efficient manner now. Staff training, intelligent events monitoring systems and efficient handling of alerts are all more essential now than they ever were.