Banker's Digest

Banker's Digest

AML in the Age of Cybersecurity: Who Should Pay?

109.2台灣銀行家雜誌第122期 / By David Stinson

AML in the Age of Cybersecurity: Who Should Pay?Bankers Digest
It was just over 20 years ago, in 1998, that Will Smith’s movie Enemy of the State came out. The notion that the government had a network of electronic devices that could track one’s every move captivated audiences. Today, in the age of social media and smart phones, the idea that it would only track one person at a time seems quaint.It was about that time that know-your-customer (KYC) requirements would become a serious business requirement. The 9/11 terrorists had no problems opening bank accounts with fake social security numbers, causing a shock reaction. Since that time, a variety of other terms like "beneficial ownership," "politically exposed persons," and "layering" have entered the lingo. All of these concepts require information-intensive checks that would have been harder before the internet.Technology, and the increased complexity it allows, have directly created new tasks for banks. This dynamic is similar to the way that information systems have created new cybersecurity requirements. In fact, the two fields have many common elements and may eventually merge: in both cases, no human manager could possibly aspire to understand all elements of the system in real-time. Many of the practical systems used in both cases are the same. Hacking itself has grown from a hobby endeavor into a financially significant area of crime, and coverage of financial crimes, including anti-money laundering (AML), will need to become more complete and proactive.One reason for comparing the two fields is that the economics of information security has become a subject of burgeoning academic research. In a 2007 paper entitled The Economics of Information Security, authors Anderson and Moore wrote, “Game theory and microeconomic theory are becoming just as important to the security engineer as the mathematics of cryptography.” Yet over ten years later, global AML practices remain extremely process-based. Can it learn anything from ideas in its sister field?The Punitive ApproachThe godfather of this line of research is Jack Hirshleifer from UCLA, who has described the implications of differences between “weakest-link, “summation,” and “best-shot” systems. Each of these concepts is applicable to the software development cycle at different stages, with analogies to AML controls as well.For the weakest-link game, he imagined a circular island which lies below sea level and must defend itself from flooding using dikes. Each property owner owns a section of the shoreline, and any flood would spread throughout the island. Each individual has the incentive to maintain his section of the wall to some degree, under the assumption that others will do so as well, but the government can still play a role in pushing each citizen to build their walls a little bit higher.This model can be used to describe the dynamics of the punitive approach to AML. The Financial Action Task Force (FATF) has effectively coaxed countries to participate in the regulatory regime by ‘naming and shaming’ stragglers. This initiative has helped ensure that no bank is left out of the scope of global regulation, as Mega Bank painfully learned in 2018 when it was hit with a US$ 29 million fine. According to the logic of the game, banks might achieve some results based on their own reputational concerns and other costs, but the process can also benefit from external incentives, and also from a global strategy which would be made possible by information sharing. Existing approaches have resulted in an extremely bureaucratic conception of compliance. Widely cited UN statistics show that only a fraction of percent of the proceeds of crime are seized. Professor Ronald Pol of La Trobe University writes that, “A criminal mastermind given the chance to rewrite anti-money laundering rules might just keep what we have, on the basis it keeps the authorities ineffectually busy.” At the same time, the rules are cumbersome. A Thompson Reuters survey found that 89% of corporate customers of financial institutions had not had a good KYC experience, while 13% had changed their provider because of it.In software development, this weakest-link thinking corresponds well with the role of frontline coders. Each one should make sure that their code is written well to begin with to prevent bugs from undermining the overall effort. On the higher-level architectural design, however, results might be roughly proportional to total efforts, making this portion of the development cycle a summation game. System design for software corresponds to the risk-based approach in AML practice – an overdue effort to prioritize the different risks by their actual consequences.The risk-based approach may be assisted by technological development, allowing banks to unify their strategies in ways more detailed than regulators would be able to implement. Natural language processing of legal documents, for example, is allowing banks to quickly identify related parties during the KYC process. AI is turning AML into a real-time proces. Notably, these are not labor-saving techniques, but rather technology-push inventions that will allow more work to be done. In the longer term, such technologies might increase expectations of what’s possible, resulting in further regulatory requirements for banks. War GamesMeanwhile, the security process does not end with the release of a program. In the software world, the practice of “bug bounties,” in which outsiders (either designated teams or the general public) find ways to penetrate an existing system, and get paid for not selling that information on the black market, is becoming increasingly accepted. This model recognizes the legitimate market value of security in a fully adversarial context. This lottery payment model is optimal for the final system, called “best-shot” because everyone benefits from the efforts of the top performer. If governments want banks to truly internalize the value of control over financial flows, a bug bounty system for money laundering, in which banks are compensated for finding criminal behavior using their systems, might be the next step. The problem with summation systems is the well-known “tragedy of the commons,” in which the smaller players take advantage of the efforts of the larger ones. Size plays a key role in the economics of AML controls. For larger banks, the regulatory and reputational costs of money laundering incidents is more than enough incentive to attract the attention of banking executives. HSBC’s 2012 money laundering case was described at the time of its settlement as “one of the darkest chapters in its 153-year history.” Smaller banks, on the other hand, may not have a 153-year history to defend, nor the means to develop their own AML systems, and thus form the weakest part of the system. Direct incentives could help. The typical danger with direct payment models is the creation of perverse incentives, but it seems unlikely in this case. The purpose of AML regulations is not to cut off access to the financial system by any particular segment. In fact, if a bug bounty program incentivizes banks to serve segments that are currently deemed too risky, it would probably be a good thing. As one example, AML regulations have made small international remittances considerably more difficult, affecting the economies of a number of developing countries.As further justification, consider that banks are already benefitting from regulations, but in a perverse way. Increasingly stringent AML requirements have allowed banks to fend off competition from alternative business models. That was one of the main factors behind the travails of Facebook’s Libra digital currency. But these rewards fall the entire sector, regardless of the strength of any particular bank’s controls. No wonder they approach AML in a way that seems to emphasize appearances over results. This is the sort of situation where microeconomics can shine.Small BankingSystems to control money laundering, as with cybersecurity, tend to have strong economies of scale. Lightweight third-party platforms are currently working to disaggregate all sorts of marketing, operations, and regulatory functions, threatening the role of traditional banks, particularly smaller ones. These banks are finding that their core advantage may be much more low-tech: simply knowing the customer better. Yet many of the resulting benefits accrue not to the customer, but rather the government. Third-party platforms are emerging allowing banks to outsource certain aspects of their KYC and AML controls, which will help make the process more systematic, especially for smaller banks. In fact, many of the functions that can be outsourced are precisely the ones that face the customer. Routine customer onboarding, for example, seems like a prime candidate for outsourcing and automation. Done badly, the process can turn away customers, but not to the point of affecting branding. Complex cases, and complex processes such as multi-transaction analysis, must however generally stay in-house. Financial institutions are not allowed to disclose the targets of sensitive reports filed with regulatory authorities. To date, AML services have usually focused on certain processes or geographic areas, and because the task is so multifaceted, this will probably remain the case. As the world becomes increasingly connected, allowing crime to scale ever-more efficiently, banks now make up a critical component of the continuously expanding surveillance state. Maybe it’s time for us to acknowledge that banks’ main value accrues to the government rather than the consumer, and adjust their revenue model accordingly. A bounty model could benefit smaller and more old-fashioned banks who have more personal contact with their customers. Maybe money laundering is more of a human problem than a technological one.


Banker's Digest


new! 台灣第一家純網路銀行導入
new! ESG Investme..
new! Closing The ..
new! ETFs and Fin..
new! 全球個人對個人國際匯款總..