Fixing Financial Compliance: How to Catch the Bad Guys Without Breaking the Bank

These days, the financial services industry isn’t dealing with the bad guys very well. Read through recent “Know Your Customer”/“Anti-Money Laundering” compliance headlines and you’ll be overwhelmed by the contradictory stories: massive penalties are being imposed on financial institutions for failing to adequately comply to anti-fraud standards, while banks are crying out that the massive cost of compliance is too much for their businesses to handle. Nevertheless, requirements for financial compliance are only growing, but ironically, major scandals that should have definitely been detected by the all this infrastructure remain undetected for years.

And that’s just on the business end of things. As an unintended result of these same compliance measures, financial service consumers are getting the short end of the stick — and a terrible customer service experience — in the form of denied transactions, held funds, lack of access to credit, and burdensome paperwork.

It is tempting to conclude that these requirements should be reduced. However, the goal of compliance — to catch criminals and terrorists — is worthy, and so before we throw the baby out with the bathwater, let’s take a step back. We’ve had all these expensive compliance tools and processes in place for years — so why aren’t they working?

Problem #1: Too many false identity matches

For decades, the financial services industry has managed risk with tools that emphasize recall at the expense of precision. In other words, they label huge swathes of people “risky,” knowing that not all of those people are actually risky, but justifying it by saying that it’s fine to overestimate as long as some of those identified are actually troublesome. It’s sort of like trawling for tuna and not caring that your huge net is mostly capturing everything but.

The repercussions of this mindset show up in many of the irritating day-to-day experiences of financial consumers: denied transactions that aren’t actually problematic, or denied credit for otherwise attractive borrowers where there’s simply not enough information available to make a rational judgement.

Okay, so it’s annoying when your credit card gets needlessly declined. But the repercussions are far deeper than just simple consumer irritation. These institutions are generating enormous numbers of false positive hits for people or businesses who actually have no compliance risk. This is extremely costly, for both financial institutions and for merchants. A 2015 report from Javelin found that 15% of U.S. cardholders — that’s 33 million adults — had at least one transaction declined over the course of a year, resulting in $118 billion in lost sales for merchants. All the while, actual credit card fraud only added up to $9 billion. Meanwhile, back at these financial institutions, reviewing and resolving false positive alerts requires manual effort from a compliance officer, and that’s expensive: financial institutions report that billions are now being spent on managing compliance with teams as large as ten thousand people needed to keep up.

One reason for all this confusion is that our compliance processes are embedded with unsophisticated, manually generated, and overly broad filtering and identity matching rules. For example, if you flag every single transaction to or from Syria, you’ll be manually reviewing hundreds of transactions a week. But if you narrow your criteria and learn more about the sender and receiver, you’ll be able to deal with a much smaller subset. Unfortunately, most institutions simply aren’t there yet. Based on our conversations with financial services executives, flagged transactions are incorrect 50% to 99% of the time.

Solution: Dramatically improve the sophistication and precision of identity matching rules using rigorous machine learning.

Problem #2: Spotty information available

Another reason for the number of false positives is that we simply don’t have enough information available on entities that actually present compliance risk. Most financial institutions are trying to match their own users with publically available information as part of the KYC/AML processes (such as OFAC watchlists, PEP lists, and negative news stories), but unfortunately, that’s not good enough.

The extent of identity information about those on compliance watchlists, in negative news stories, or on lists of politically exposed entities is often limited to names (some of which can be very common), partial addresses, and sometimes information about the perpetrator’s age. When a bank attempts to match this info to their customers, mistakes are inevitably made. For risky entities, a lot of additional identity information can be made available by triangulating across multiple watchlists, media sources, and web sources. However, most of this additional information that could be gathered iteratively about risky entities remains untapped. Banks need to know more about risky entities before they try to match them with their customers, and the way to do this is to use more sophisticated data extraction and identity matching techniques to enhance available identity information about risky entities.

Solution: Use broad-based data search and extraction to enhance identity information about risky entities.

Problem #3: The bad guys aren’t even getting caught

Irony of ironies! Yes, false positives in KYC/AML processes are the biggest day-to-day challenge faced by most financial institutions, but the serious problem here is that very few criminals and terrorists are actually caught by this clunky process. Talk to a compliance agent, and many will tell you that it has been a good month if they actually catch one or two entities who actually present real risk. And yet these entities are controlling huge amounts of money. The UN Office on Drugs and Crime has estimated that the profits from transnational organized crime ring in at $870 billion every year, which is 1.5 percent of our global GDP, yet only about $9 billion is currently intercepted by compliance and law enforcement regimes.

The main reason for this is obvious: most criminals and terrorists are not using our formal financial system to move their money around. They typically use informal financial networks such as the “hawala” network, the global trade system (where they under- or over-invoice to move money around), or else they move value-dense physical commodities (like gold) instead of money. When they do turn to the formal financial systems, they’re probably not using their own name, but relying on a complex web of real and shell companies and/or a network of ostensibly unrelated individuals. The result: they’re almost impossible to track with the current tools we have in place, tools that rely on published data sources like watchlists and negative news articles.

A less obvious reason for these large-scale misses is that our compliance tools and processes focus much more on individuals than they do on businesses. There are very few existing lists or tools that make it easy to identify suspicious businesses and the individuals associated with them. This makes it even more challenging to follow the money trail left by suspicious entities.

But we live in a data-driven world; why not start mining it? Why rely only on published watchlists and negative news stories? Financial systems should be leveraging everypublic digital data source for evidence on any kind of financially suspicious behavior. Additionally, they should be focusing not just on individuals, but on business relationships. We need to widen these aspects of the net and significantly tighten others in order to make these KYC/AML systems work like they’re supposed to.

Solution: Use more data. Broaden the data net to detect both conventional and unconventional techniques for moving illicit money around and broaden the screening to establish relationships between businesses and individuals.

In an ideal financial services world, we’d be catching fraudsters without subjecting millions of innocent customers to unnecessary delays and frustrating bureaucracy. Enter the machines. Instead of continuing to sift through false positives by hand, we need to leverage the solutions we’ve laid out in this article by using the power of sophisticated computer science to create KYC/AML tools that are more accurate, cost-effective, and customer friendly. It’s the only way to win the battle with the bad guys without literally breaking the bank.