Banks Find AML "Ineffective", Propose Access To Social Media
The world's biggest banks find monitoring for suspicious activity "ineffective". In a "True Risk-Based Approach", the group now proposes access to customer social media, IP addresses, and device IDs.
The Wolfsberg Group, an association of Banco Santander, Bank of America, Barclays, Citigroup, Deutsche Bank, Goldman Sachs, HSBC, JPMorgan Chase, MUFG Bank, Standard Chartered Bank and UBS, has issued a statement on the effective monitoring of suspicious activity to improve the performance and accuracy of detection models used to investigate financial crime.
According to the statement, "the Group does not believe that the value being derived from the (constantly increasing) volume of [Suspicious Activity Reports/Suspicious Transaction Reports] is contributing proportionately to effective outcomes in the fight against financial crime".
While "the current approach has resulted substantial increases in the volumes of SAR/STR filings [...] no reliable evidence shows a proportionate increase in highly useful information for relevant government agencies or a material reduction in money laundering and terrorism financing activities".
The Group's statement concludes that existing methods for the monitoring of suspicious activity "are inefficient and ineffective at producing timely outcomes that are useful to law enforcement".
The Group notes that to date, no uniform framework exists to measure the effectiveness of current monitoring solutions. While introduced "well over two decades ago", the Group argues that monitoring for suspicious activity has “grown into more [...] expansive risk and control frameworks" that merely increase the number of SAR/STRs filed.
Similar observations have been made by Europol, which found that "98.9% of the estimated criminal profits are not confiscated" in the EU, despite rigorously employed AML/CFT frameworks.
The Group states that "reporting potentially suspicious activity in all cases where red flags and typologies potentially indicative of financial crime have alerted and in which the legitimacy of the underlying transactions could not be fully verified" demonstrate ineffective activities, only standing to assure the regulatory compliance of financial institutions while being "unlikely to provide useful information to law enforcement".
Metrics like "the coverage of potentially relevant red flags and typologies, alert and case volumes, alert productivity, or alert-to-SAR/STR ratios [...] are limited in their ability to measure actual effectiveness due to their focus on the quantity, as opposed to the usefulness, of the information provided".
To "make effectiveness [...] a more tangible concept", the Group states that it is necessary "to re-define how the effectiveness of an [Financial Institution's Monitoring for Suspicious Activity] programme is determined and measured".
A "True Risk-Based Approach" to yield "higher value, quality outputs" and focus on "the usefulness of the information" monitoring programs generate is proposed in attempts to ensure that Financial Institutions "allocate resources toward mitigating crystallised risk rather than processing and documenting coverage against theoretical risk that has not been observed".
The proposed approach would include the incorporation of "dynamic behavioural customer information" such as device IDs and IP addresses as well as "data from reputable external, publicly available sources", such as "verified customer social media accounts", allowing financial institutions to create a more comprehensive "customer behavior analysis" and a more efficient "network-based contextual view of a customer".
The Group proposes Machine Learning algorithms to be used "as booster models to augment a rules-based system, or, in some cases, be used as the primary detection tool itself" and highlights the "opportunity for Public-Private Partnerships".
The Group notes that the presented body of work is "built on the recognition by the Financial Action Task Force (FATF) [...] that jurisdictions should not
focus solely on technical compliance with laws and regulations but evolve actively towards measuring effectiveness and outcomes".