A risk-based approach to tackling COVID-19 crime: Lessons for financial institutions

How financial institutions can improve their risk-based approaches to fight financial crime more effectively during COVID-19 and beyond.

As the pandemic continues, the impact on our everyday lives and the way we do things will persist for some time. While regulators have been proactive in communicating the types of risks to the public, the onus is on FIs to adapt their processes and systems to maintain an effective risk-based approach to combating financial crime. 

The COVID-19 pandemic is accelerating.1 Infection is spreading rapidly in some countries, while others that seemed to have overcome the virus are seeing localised outbreaks, prompting new lockdowns.2, 3 The economic and public health repercussions from the exploitation and illicit trade in wildlife4 are enhancing the scope for financial crime especially around corporate and personal fraud.  In addition, organised criminal groups are using the panic and confusion as an opportunity to exploit cybersecurity weaknesses, steal personal data, and use the stolen data to open fraudulent accounts to receive illicit proceeds and launder funds.  To counter this threat, financial institutions (FIs) have to play their part to protect our communities, customers and the financial system and install a risk-based approach that is COVID-sensitive.

A risk-based approach (RBA) requires FIs to identify, assess and understand each of the risks to which they are exposed, and then to target their resources at the most serious risks and deprioritise where required.5 This approach must reflect the regulatory and legal stance of the individual countries in which the FI operates, and the particular emerging inherent risks associated with each country. Risks relating to anti money-laundering (AML), countering the financing of terrorism (CFT), economic sanctions and preventing bribery and corruption can vary enormously from one jurisdiction to the next.  In addition, FIs need to consider the law and requirements of the jurisdiction which clears the currency used by their customers.  For example, if their customers want to use USD and they’re they located in Asia, then FIs need to ensure certain compliance measures in support of US Laws.

The new normal

Most FIs have existing processes to manage onboarding and subsequent Know Your Customer (KYC) and Financial Crime Compliance monitoring and screening works , but these processes need adaptation to  handle and make room for the fast-moving and unknown variables stemming from COVID-19. In May 2020, the Financial Action Task Force (FATF), an inter-governmental body, warned that criminals were attempting to use the pandemic to exploit the financial sector to commit crimes such as fraud among others. Global health crises such as COVID-19 follow patterns we have seen before with Ebola, MERS and SARS. These incude seeking   to divert  aid and natural disaster relief money and resources by exploiting  disruption to communities, compliance systems, and good governance and supervision.   On this latter point, FATF notes, for example, that most of its members have postponed on-site AML and CTF inspections or are using desk-based inspections instead.6

The chart below illustrates risk management challenges during COVID-19 and highlights where adaption must be considered in the ‘new normal.’

The pandemic response from FATF and many national regulators has been swift, well-communicated and assured, showing flexibility while urging resources to be directed at the highest-risk crimes. Some have granted FIs extensions for when they must file Suspicious Transaction Reports. Others have allowed FIs to simplify their due diligence in some circumstances, such as for new accounts created to allow small businesses to receive digital payments, or for governments to make emergency payments to individuals.7

In Australia, for example, the regulator Austrac noted that the pandemic had made it harder for FIs to adhere to the KYC procedures that are so critical to preventing criminals from channeling funds through banks.8 These often involve face-to-face meetings or the provision of original documents, requests that were in some cases rendered impractical  by the official COVID response. Austrac offered some temporary flexibility in the rules, for instance allowing alternatives to the required identity documents, but made clear that FIs’ should still apply risk-based systems and controls.

Standard Chartered’s Approach

As the pandemic began to spike around February and March 2020, Standard Chartered adopted a proactive approach to the risks that our staff, ad clients were facing.  Our financial crime compliance team convened three working groups which are now being integrated into our standard operations. Each has a different leader, and each is as important as the other two.

One focuses on communication to staff, to ensure their safety and wellbeing and that they receive timely COVID-related information relevant to where they live and work. Remote working and the stresses of the pandemic have taken an emotional and psychological toll on many personnel, and risk-management and services available to staff should take a holistic approach that incorporates such factors.

The second working group focuses on high volume and often time-sensitive processes such as transaction monitoring, live payments’ monitoring, and name screening, to ensure these have continued to adhere to the bank’s security standards despite the sudden shift to remote-working as well as an assessment of where adaptation is required to ensure that staff focus on risk relevant work. Staff responsible for live payments-screening were well-equipped to work remotely under the existing business continuity plan and screening for sanctions related issues continued seamlessly due to extraordinary staff dedication.  Transaction-monitoring however is post-transaction activity  and not as time sensitive as payment screening and staffed by very large teams  based in hub offices, making the shift to 100% remote working more challenging. It was vital to ensure they could work from home in a way that didn’t compromise their safety or security or overburden them given the absence of colleagues who were unwell or unable to work remotely.  Considerations included staff well-being, flexible equipment, remote log in ability, and ongoing security of bank property and information.

Prioritisation of key risks and ensuring the teams did not lose the signal in the noise was paramount at this time. With key risks presenting due to COVID-19 fraud and other financial crime risks was not the time for a diminished work force to spend days sifting through false positives. Standard Chartered had already conducted extensive testing of artificial intelligence over several years to assist with transaction-monitoring, and the COVID emergency offered an opportunity to accelerate deployment. These smart algorithms have proved useful for clearing the many false positives that result from transaction-monitoring, a task that would otherwise have been impossible given staffing limitations during the pandemic. Furthermore, machine-learning has been further deployed to in name screening processes to uncover any undisclosed links between applicants and individuals that might flag a risk. Solid testing and documentation, partnering with excellent technology innovators, review and sign offs at Governance forums, and regulatory notifications paved the way for the ‘new normal’ in surveillance. This will be a positive legacy from the COVID-19 experience.

The third working group analyses the novel financial crime risks emanating from the COVID crisis, in order to update the bank’s RBA. It found, for example, that some behaviours that would not normally have been considered suspicious now constituted a red flag.  Businesses that would handle  large volumes of cash were in many countries shuttered, due to the potential risk of infection from coins and banknotes. Therefore, those that continued to receive significant quantities of cash now merited further scrutiny.  We have also noted a larger volume of corporate fraud with missing money and accounting fraud emerging as common themes for misleading investors.  This trend is present in sectors hit hard by COVID-19 such as oil and gas

In general, however, criminals have used the same tactics as they did before the pandemic, although sometimes with a COVID “hook”. These have involved the same attack patterns used to submit unauthorised payment instructions to FIs, sometimes by subtly changing the authorised signers or the name of the bank in a sophisticated way that suggests the culprits are organised groups of criminals, not single fraudsters.

Information sharing and a focus on law enforcement remain key

Standard Chartered has found that the best way of stopping such attacks as quickly as possible and evolving our RBA is the sharing of actionable intelligence on actual risk events and best practices. Exchanging intelligence where appropriate and typologies about criminal activities prepares regulators, law enforcement, FIs and their clients to recognise those same frauds when they encounter them, and furnishes FIs with the insights needed to update their risk-based controls in line with the new normal – the strongest defence against crime during the pandemic. This approach is aligned with the Wolfsberg Group’s December 2019 “Statement on Effectiveness.”9 COVID-19. It demonstrated the power of FATF and supervisors coming together to support FIs to identify current practices that are not required by law or regulation, that do not lead to the production of highly useful information to relevant government agencies and are of little value to FIs for financial crime risk management .   With an appropriate risk-based evaluation, these practices could be discontinued, and resources employed more efficiently on areas that have increased value from a financial crime risk management perspective and are focused on defined AML/CTF priorities. Bravo.

This article contains insights from Standard Chartered’s Correspondent Banking Academy’s Fighting Financial Crime webinar series.

1 World Health Organization virtual press conference, "COVID-19", June 19 2020, https://www.who.int/docs/default-source/coronaviruse/transcripts/virtual-press-conference---19-june---COVID-19-and-the-world-refugee-day.pdf?sfvrsn=48db03e5_0

2 Reuters, "Germany's coronavirus reproduction rate jumps to 1.79: RKI", June 20 2020, https://www.reuters.com/article/us-health-coronavirus-germany-reproducti/germanys-coronavirus-reproduction-rate-jumps-to-1-79-rki-idUSKBN23R0R4

3 CNN, "Beijing's new outbreak is a reminder to the world that coronavirus can return at anytime", 19 June 2020, https://edition.cnn.com/2020/06/18/asia/beijing-coronavirus-reminder-intl-hnk/index.html

4 https://www.bbc.co.uk/news/science-environment-52125309

5 FATF, "Risk-based Approach Guidance for the Securities Sector", 2018, https://www.fatf-gafi.org/publications/fatfrecommendations/documents/rba-securities-sector.html

6 FATF, “COVID-19-related Money Laundering and Terrorist Financing: Risks and Policy Responses”,  May 2020, P12, https://www.fatf-gafi.org/media/fatf/documents/COVID-19-AML-CFT.pdf

7 Ibid, P14

8 Austrac COVID-19 updates, "How to comply with KYC requirements during the COVID-19 pandemic", April 1 2020, https://www.austrac.gov.au/business/how-comply-and-report-guidance-and-resources/customer-identification-and-verification/kyc-requirements-COVID-19

9 https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf

Back to CCIB News and Views

Click here