A new era of banking has arrived, thanks to digital transformation. At the helm are digital banks—also called neobanks—which operate purely online, and promise to revolutionize the banking experience by focusing on customers’ needs through personalized services and omni-channel service.
Countries in Asia-Pacific are beginning to issue digital banking licenses. Regulators in Singapore, Malaysia, Hong Kong, and Australia went through evaluation processes before granting licenses to digital banks, which are leading this new frontier of financial services.
Being a nascent category in the financial services industry, digital banks face unique risks and opportunities. With the right tools, they can offer a swift onboarding of customers but also ensure that suspicious transactions are reported and intercepted. They’re also in a better position to implement agile solutions that keep cybercriminals at bay—financial services, after all, face the most mobile malware attacks among all industries.
Complying with strict national and international regulations around AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) will help digital banks protect their platforms from penalties and reputational damage. . They must consider AML/CFT compliance not as a one-time activity, but as an essential component of their risk strategy.
Too often, financial institutions end up entangled in scams due to poor compliance practices. Some of the bad actors may come from within the company, as seems to be the case in the recent saga of Wirecard, a payments processing company that couldn’t account for €1.9 billion in its books. Consequently, external auditors and regulators were also criticized for poor monitoring.
On the other hand, customers unwittingly provide sensitive information to cybercriminals when they fall for phishing scams. They might also act as money mules. In the US, a fraudulent website pretended to recruit people for work-from-home jobs. After asking applicants to perform bogus errands, the site tells them to encash checks or cryptocurrency from “donors” in exchange for commissions.
Criminals tend to get away with such activities by using digital financial platforms with weak customer due diligence, poor transaction monitoring, and delayed reporting of suspicious activity. They also exploit security loopholes in apps.
Compliance with AML/CFT regulations can help institutions avoid the risk of paying massive fines for violations that are preventable. Beyond its financial standing, a digital bank’s reputation as an insecure platform and an inadvertent accessory to financial crime could cost the institution its customers and the entire business..
Even without physical premises where tellers can check customer identities, digital banks are still legally bound to verify the documents presented by new customers. They must also report to regulators any irregularities in transactional behavior. These processes are all part of AML compliance programs.
Designing an AML Compliance Program
Designing and implementing an AML compliance program requires having competent compliance officers with a profound understanding of AML/CFT regulations and awareness of the ever-changing methods of criminals.
These officers create risk-based approaches based on data intelligence gathered on various fronts: screening of politically exposed persons (PEP) and their relatives and close associates (RCA), transaction monitoring, global sanctions and watchlists screening, and cybercrime trends.
Here are questions to ask to begin building an AML compliance program:
- What are the AML/CFT-related risks that we must watch out for given the nature of the business, the customers we attract, and the location and industry where we operate? Which risks must we prioritize when monitoring financial crime?
- What are the existing AML controls we have? How might we improve them? How and when can an independent auditor assist in improving our systems?
- How many employees are involved in AML/CFT functions? How can we raise the competency of employees in spotting financial crimes?
Regulators in APAC are updating their policy guidelines to help fintechs comply with AML/CFT rules on knowing their customers.
In Hong Kong, the Securities and Futures Commission updated its Code of Conduct to introduce new onboarding rules in non-face-to-face contexts. For example, only regulated financial institutions may perform client identity verification for the purpose of opening a bank account in a non-face-to-face setting.
Malaysia’s central bank has issued policy guidelines on electronic Know Your Customer (eKYC) measures. These include multi-factor authentication of identities, specifically with regard to “something the customer possesses (e.g. identity card, registered mobile number), something the customer knows (e.g. PIN, personal information), and something the customer is (e.g. biometric characteristics)”.
With robust eKYC processes and high-accuracy tools, a digital bank can:
- Determine which customer has a higher risk of being involved in money laundering, fraud, terrorist financing, and other financial crime;
- Conduct continuous KYC or customer due diligence rather than periodic-based reviews given the increasing and evolving threats to financial institutions; and
- Use analytics to facilitate regulation-compliant and accurate evaluations.
According to the Monetary Authority of Singapore (MAS), an effective transaction monitoring system enables financial institutions “to detect and assess whether customers’ transactions pose suspicion when considered against their respective backgrounds and profiles”.
The system must be able to flag suspicious activities that do not fit a customer’s transaction pattern on three levels of defense:
- The firm’s frontline staff, who can alert their companies of unusual activities in the first instance;
- The firm’s compliance and support functions, which conduct systems-based transaction monitoring and can promptly identify, assess, and report suspicious activities; and
- Independent audit functions, which ensure the robustness and effectiveness of the firm’s TM systems and performance.
In Australia, AML policies also require firms to perform routine screening of the transactions of politically exposed persons (PEPs) as well as adverse media checks—monitoring news media for reports that might suggest a customer is involved in money laundering. The Australian Transaction Reports and Analysis Centre (AUSTRAC) provides industry-specific guidance on creating AML/CFT programs.
Using Smart Technologies to Assess Data
Automation can help digital banks save on costs and speed up processes. Digital banks can deploy AI, machine learning, and predictive algorithms to automate data assessment, detect stolen identities and deep fakes, continuously monitor transactions, and identify suspicious activities. For large-scale institutions, automation of activities like transaction monitoring is a must.
It’s important to check each country’s standards for such automation tools. Malaysia, for example, requires financial institutions to ensure that automated eKYC tools have a False Acceptance Rate (FAR) of no more than 5%. (A lower FAR generally means the tool has “identified non-genuine or fraudulent identification and verification attempts on a regular basis”.) Financial institutions must audit these tools at least once every quarter.
Automated tools must also be customizable and configurable to meet the specific contexts, risks, and needs of the digital bank.
For instance, Singapore’s MAS warns against taking a one-size-fits-all approach to transaction monitoring systems, as these need to be “developed and calibrated in view of the risks [financial institutions] face, such as from their customer types, range of products, types of business, activities, geographical exposures, cross-border nature and so forth”.
Taking a Non-Siloed Approach
Often, AML/CFT functions work in silos and have their own processes for dealing with suspicious activity reports. There is a more efficient way to do this: AML solutions that use AI and machine learning can go through high volumes of data for real-time monitoring and PEP screening.
When a trigger event happens, an automated system can check high-risk profiles against the latest national and international cybercrime databases and sanctions lists and generate a comprehensive SAR/STR in a matter of minutes. This allows the bank to report to regulators promptly and protect its customers.
Money laundering and financing terrorist activities have economic and social impact. With the right mindset and tools, financial institutions can protect their companies and their customers without disrupting business and suffering from reputational damage.
Amid evolving risks and threats of financial crimes, digital banks are in the best position not only to provide innovative products but also channel that enterprising nature towards embracing more agile AML solutions.