Issue 16 - Winter 2020
Irish financial services firms’ efforts to tackle financial crime are to be commended, according to the latest Future Financial Crimes Report by LexisNexis® Risk Solutions. It shows that banks and financial institutions in Ireland are confident that they’re winning the fight against money laundering and terrorist financing, with more than nine out of ten (94%) of the compliance professionals surveyed, displaying high levels of self-assurance in their ability to identify and track new types of crime and criminal methodologies.
This should, in turn, provide some reassurance to us all. Financial crime doesn’t just target account holders’ savings and assets, it provides the funding for a wide range of other offences. It’s fuel for the organised crime that costs Ireland over €1.7 billion a year, according to a study funded by the European Commission. That includes violent drug gangs that blight communities and a host of predicate offences to money laundering, including murder, terrorism, and human trafficking. Any success combating these is a clear win for society and very welcome.
Ireland’s current confidence levels have been hard-won. The country’s financial institutions have spent heavily on bolstering their controls that help prevent financial crime. On average, large Irish firms spend €23 million on compliance with financial crime regulations, such as anti-money laundering and “know your customer” legislation.
Not that any of us can afford to be complacent for a moment. If there’s one thing organisations can be assured of, it’s that financial crime is a relentless and constantly shifting spectre. And so the robustness of a firm’s anti-money laundering (AML) and combating the financing of terrorism (CFT) processes must also be regularly pressure tested.
According to the report financial institutions are being overwhelmed not just by the sheer volume of attacks, but also by the complexity and the wide variety of attacks that bad impersonators are using to facilitate money laundering activity. When asked about the biggest threats they have been exposed to in the past 12 months, the most common forms of attack firms detected were criminal use of third party advisers, money mules and abuse of Irish and UK offshore corporate structures.
Over half (54%) of Irish firms were exposed to the criminal use of third party advisers, and over a third (35%) expect this to continue to be a risk in the future. However, the majority (93%) of institutions expressed confidence in their ability to detect this form of financial crime, and over half were very confident.
Similarly, 47% of banks said they’d detected the use of money mules – a form of second-party fraud designed to facilitate money laundering – and a third (33%) expect to see this crime continue to be a risk. As a typology, money mules are extremely difficult to spot due to the fact that to all intents and purposes, the customer appears genuine and often is a genuine impersonator or actor who has been recruited, rather than an account opened for fraudulent purposes.
The abuse of offshore structures – using shell companies to hide large transfers of money, globally – was detected by 38% of firms, and over a quarter (27%) expect to see this rise in future.
Perhaps most concerning is that the report suggests financial criminals are tailoring attacks based on the perceived weakness of the target organisations, using typologies they believe they’re least able to detect. For example, 46% of the banks surveyed in the UK detected money mule activity in their networks, but this rose to 60% for challenger banks which are known to have greater difficulty spotting the indicators of this crime due to the lack of extensive historic customer data to call upon. It’s likely that this behaviour is equally as prevalent among criminals in Ireland, as well as the rest of Europe.
Financial crime also continues to evolve as a result of criminals’ innovation and sophistication, as well as new business practices, products and technology. The rise in cybercrime is perhaps the most obvious example.
While more than a quarter of UK firms (26%) say they’re exposed to the illegal use of emerging technologies and methodologies, such as cryptocurrencies, only 11% of Irish firms agree. Likewise, fewer than one in ten (7%) of AML professionals in Irish firms say they expect misuse of cryptocurrencies to pose a growing threat to their organisation in the next 12-18 months, compared to more than three times that number (29%) in UK firms.
In part, this gap may be due to differences between the firms being questioned, both in terms of their size (the largest UK firms are typically bigger than those in Ireland) and type (different institutions are exposed to unique risks). Smaller firms with fewer customers are consequentially likely to have fewer customers wanting to transact in cryptocurrencies, added to which, many banks continue to refuse to handle transactions of these types. Another consideration is the inherent difficulties spotting anomalies with these types of transactions – just because firms are not detecting them, doesn’t mean they’re not happening.
The apparent gap in perceived threats between the UK and Ireland may be behind the disparity in confidence levels between institutions in the two countries. Just 65% of UK firms say they feel very confident in their ability to tackle new financial crimes, compared to 94% in Ireland.
UK firms are also spending considerably more on their efforts to do so. Average compliance spending by large and medium-sized British firms is more than double what it is in Ireland, at €48.9 million. For small firms, the UK figure is more than triple, at €9.5 million.
It could therefore be that Irish firms surveyed are indeed better prepared, or at lower risk of attack – or a mixture of both. But could other factors also be at play?
Another significant factor may be regulation. The EU’s fifth anti-money laundering directive (5MLD) came into force in UK law in January 2020, but Ireland only authorised it in August this year. Among various requirements, the directive brings some emerging technologies under regulatory scope for the first time, with new requirements for crypto-asset exchanges and digital wallet providers, as well as the banks that serve them.
The UK’s experience operating and reporting under 5MLD probably explains some of the increased emphasis UK providers put on these risks – a disparity that may reduce over time. Another related factor is the different approaches the two countries take in tackling and detecting financial crime.
On the face of it, Irish and British firms’ spending on compliance is weighted similarly, with a bias towards investment in people, over technology and systems. Across all sizes of firms, the split between labour and other spending is identical in the UK and Ireland. About two thirds (64%) goes on human resources in both.
In practice, though, labour costs in Ireland are lower, because of wages. Salaries for the head of AML in a London firm, for example, start at £100,000, according to recruitment consultants. In Ireland, the figure is €80,000, with the same sort of disparities evident for both more junior and senior roles. The likely result is that Irish firms have higher relative headcounts and consequently less reliance on technology.
Yet manual controls are generally accepted as less effective than automated solutions when it comes to analysing massive amounts of data to detect the patterns of suspicious activity that can be indicators of these complex forms of financial crime.
Of course, businesses must ensure that they invest in people with the right skill set to be able to carry out the more cognitive risk-based analysis of the data. But the sweet spot is likely to be a balance of the two; machines taking the heavy lifting, in turn allowing staff to carry out the more complicated investigative analysis.
It’s likely regulators will increasingly insist on such a blend of solutions, but even where they don’t, the case for investment in technology is strong. Technology allows compliance teams to spend more time doing what they do best. Given the increasingly complex and constantly shifting financial crime landscape, this is especially important. Financial institutions that have these types of holistic measures in place can be far more assured in their ability to detect crime effectively, not just today, but tomorrow and beyond.
