A threat-based risk assessment may be a unique and incredibly insightful alternative to the current approach.
Change and risk are two sides of the same progressive coin. It’s why banks for years chose not to deal in it. But engaging in the digital economy is no longer a choice; how banks address some of the challenges it presents them with, is.
For David Howes, global head of financial crime compliance (FCC), conduct and compliance framework at Standard Chartered, ticking increasingly complex regulatory boxes in a purely rules-based system isn’t sufficient – not for the bank, the wider financial services industry, and especially not for those who suffer the very real consequences of a collective failure to stop the flow of dirty money.
It's why Standard Chartered is taking a lead role in shaping a new global,
cross-sector approach to anti-money laundering (AML). And, given the acceleration in the number of fintech partnerships, which present a whole new threat vector for regulated institutions, why Howes is keen it should influence those fintechs’ approach to risk, too.
“We have to comply with laws and regulations - we do not get to choose these. But you’d struggle to find anyone who will argue that the public and private sectors are applying resources to optimum effect and getting the results from FCC that we hoped for,” he says.
While banks are legitimately concerned about being hit with a big stick by national and international authorities, he believes too much of their focus up to now has been on process and not on results.
That countries intercept and recover less than one per cent of global illicit financial flows, according to the United Nations Office on Drugs and Crime, indicates that AML is broken. Huge investments by banks in technology and people to identify potential suspicious activity in line with anti-money laundering directives and, more recently, stringent international sanctions designed to identify the true beneficial owners of assets, means they diligently generate millions of reports, but that merely demonstrates they’re watching.
Standard Chartered is keen for banks and others to adopt a threat-based approach to compliance, meaning resource could be better deployed in identifying criminals and providing the relevant authorities with the means of pursuing them. Additional vulnerabilities created by an increasing number of players in the financial ecosystem, not all of whom are required to operate to the same compliance standards as regulated FIs, only makes the argument for such a threat-based approach – one that can be mutualised across the industry – more compelling.
Mox, Standard Chartered’s digital bank, launched in Hong Kong in 2021, has already provided such a model. Mox started by identifying the unique threats it faced and risk-rating them. The higher and medium-ranked threats were subject to detailed mapping to identify, for example, specific threat corridors, customer segments, geography links and other important attributes. A joint team from Oliver Wyman, Financial Crime News and Mox then worked together to establish the threat relevance and exposure – for example, to the customer base, products and services offered – and the threat impact, such as the financial impact, reputational damage, and customer and investor attrition. The threat classifications went way beyond generic money laundering to rank Mox’s exposure to the specific crimes that it could facilitate, such as people trafficking and drug smuggling.
The bank then applied general, institution-wide controls as well as controls by customer lifecycle – for example, at the intersection of customer onboarding (the stage in the lifecycle) and human trafficking (the identified threat). The findings of the pilot FCC programme were outlined in a joint report, The Threat Lens – Putting The Financial Crime Threat Back Into The AML/CTF Risk Assessment.
Commenting on the pilot, Howes said: “What Mox has done is innovative in that it tried to rethink the risk analysis and say ‘what are the actual threats that we are exposed to and can we move more of our resources towards them?’. It is in line with what the Wolfsberg Group [13 global banks, including Standard Chartered, which are developing industry standards for AML] is saying on making FCC more effective, by focusing on what we can provide – useful information to relevant authorities.
“Being more threat-based in how we think about financial crime risk is absolutely something we at Standard Chartered are seeking to incorporate. We have built risk models for client risk assessment using similar tech to building a credit model, recognising that the data has to be just as clean for financial crime.
“We take variables at onboarding which give a view on where to risk-rank that client, which directly influences the due diligence we take. In transaction monitoring, we are focussed on collecting data on investigations that we have done by thousands of analysts on millions of cases to identify the various indicators that caused them in the end to be suspicious. That leads to you producing cases that are more relevant to authorities.”
Based on the result of the Mox pilot, The Threat Lens report issued the following rallying cry to financial service providers: “While this approach was considered for new and emerging banks, e.g. Mox, the pilot could be considered by other FIs as enhancement opportunities for their existing programmes,” it said.
“The current industry standard for risk assessments is complex and taxing on smaller FIs who may lack the sophistication of systems, management information and workforce to conform to the arduous traditional exercise. A threat-based risk assessment may be a unique and incredibly insightful alternative to the current approach.”
Wherever they are in the banks’ value chain – a neo that needs banking as a service or a fintech partner providing specific services to a bank, such as KYC and onboarding – Howes says some of the risks these newcomers present are not materially different to those that exist in the correspondent banking network. Exposure in the latter, of course, has led to widespread de-banking as FIs judged the risk that lower tier organisations presented as being too difficult to monitor. Although in Howes’ view that was a retrograde step, simply serving to make it harder to identify crime and improve compliance, he says: “As such, financial institutions are naturally reluctant to bring the same risk into the business that they have spent all this time refining out of it.”
Weaknesses among fintechs, especially in the startup phase, go beyond a lack of internal compliance expertise to specific weaknesses in aspects of their operation. That’s a particular threat in cross-border payments, including missing identity information in the payments chain, making it hard for a FI to understand their exposure to, for example, sanctioned individuals. Indeed, in the UK, the Financial Conduct Authority fired a warning shot across the bows of challengers earlier this year, highlighting inefficient transaction monitoring, lack of due diligence and poor alert management, which would all raise red flags for a banking partner.
“But there are a number of things a fintech can do to be a more credible partner to a bank or to secure banking services,” says Howes.
“Take responsibility for things is the first – if you tell me the regulations under which you operate do not specifically require something relevant to managing risk, that’s not the answer I’d be looking for. You can get a culture clash between techs and banks, but remember you are dealing with a regulated party so railing against it is unlikely to be useful to you. Be honest, thoughtful and curious about what business risks you might be introducing and change your business model and products if necessary. Transparency is important. Any successful relationship is going to be based on trust and if you lose that, you will be debanked very quickly. Lastly, pay attention to clean data and technology stacks – capture the right data accurately right from the outset.”
Mutual trust between organisations – big, small, new and established – will be essential when it comes to figuring out the best way forward, as will a united front against financial crime. Banks, in their work with fintechs, regulators and law enforcers, must take much of the responsibility for that, says Howes, if they want to preserve the trust clients have invested in them for so long.
“The compliance mission of the banks in the past has primarily been protecting the bank from regulatory action; that’s important but it should not be the purpose. We should recognise the bigger contribution financial institutions can make to society by leading the fight against financial crime,” he says.
That clearly requires a change of attitude both inside and outside of the organisation. And the dial, he hopes, is moving in that direction.
This article was also published in Fintech Finance.
Standard Chartered at Sibos
Explore thought leadership on 'Tomorrow’s Banking' – and take a new look at digitalisation, innovation, sustainability, and financial crime and compliance.