Algorithms and the fight against money laundering

In September 2020, the investigative report conducted by the International Consortium of Investigative Journalists (ICIJ) and 108 international media outlets, called the "FinCen Files", revealed that between 1999 and 2017, nearly $2 trillion in suspicious transactions were executed by five major international banks. 

These revelations were followed by the publication on October 3, 2021 of a new investigation by the ICIJ entitled "Pandora Papers". This latest investigation, considered the most important by the international consortium of journalists, was initiated by the leak of confidential information (2.94 terabytes) from 14 offshore service providers. It described the use of offshore transactions by some 35 world leaders and more than 300 other current or former officials and politicians from around the world. It demonstrated once again the fragility of the anti-money laundering and anti-terrorist financing (AML/CFT) systems, and in particular concerning corruption and tax evasion.

New measures that have been taken by regulators to manage money laundering risks

To address this issue, regulators have taken several new steps to strengthen the AML/CFT system. For example, the US Congress adopted a new law on money laundering (Anti Money Laundering Act of 2020 - AMLA) on December 11, 2020, as well as one on corporate transparency (Corporate Transparency Act - CTA) on January 1, 2021.

The European Council released the framework of the implementation of the Action Plan on May 7, 2020 for a global policy of the Union on the prevention of ML/TF. It also released a follow-up package of legislative proposals on July 20, 2021, including:

• A proposal for a regulation (2021/0240 of 20/07/2021) establishing an Anti-Money Laundering and Anti-Terrorist Financing Authority (AMLA) - the authority to be fully operational by early 2024;
• A proposal for a new Directive (2021/0250 of 20/07/2021) on the mechanisms to be implemented by the Member States to prevent the use of the financial system for ML/TF purposes. This would complement the six previous directives directed toward the fight against BC/FT;
• A proposal for a regulation (2021/0239 of 20/07/2021) on the prevention of the use of the financial system for money laundering or terrorist financing;
• and a proposal for a regulation (2021/0241 of 20/07/2021) on information accompanying transfers of funds and certain crypto-assets.

This slew of new regulations by American and European regulators has created the obligation for both governmental authorities and for private entities to adopt a risk-based approach. In particular, both governmental authorities (through the National Risk Assessment or NRA) and private entities need to implement an AML/CFT risk assessment. This obligation can be traced to the first 40 reformulated recommendations made in 2012 by the Financial Action Task Force (FATF). 

For French-speaking countries in the West African Economic and Monetary Union (WAEMU) zone, this requirement is already included in Article 11 of Directive No. 02/2015/CM/UEMOA on the fight against money laundering and terrorist financing in the member states of this union since 2015. 

Morocco has recently modified its legal framework in June 2021 to require the same preventive measure for entities subject to its national laws. 

A very small number of companies have implemented these new obligations

It is important to recognize at a broader level that authorities have implemented this NRA at a lackluster pace and that the evaluation of the real risk level has been sometimes questionable. The implementation of the assessment specific to private entities has been even more problematic. 

Indeed, only a very small number of financial institutions have met this requirement so far. It appears that only international financial institutions have been able to integrate this new compliance dimension, with varying degrees of effectiveness. The FATF recognizes that this new approach, and the responsibilities that it imposes, are more appropriate for sectors with greater capacity to address ML/FT issues and greater experience in this domain. 

Several reasons may explain this lack of compliance by regulated entities, such as the ignorance of the obligations, the absence of a codified ML/FT risk assessment method, the lack of adequate training among regulators and regulated entities, and especially the additional cost represented by the already very onerous compliance cost (which can represent up to 5% of the turnover for a large private bank).

Until now, the AML/CFT approach of financial institutions was mainly to focus on the principle of “Know Your Customer” (KYC). This policy, initiated thirty years ago by the FATF, focused mainly on the identification of the customer's personality, the obligations to keep relevant documentation, as well as on the determination of the nature of the financial operations that the customer carried out. The new 2012 FATF Recommendations introduced a new dimension to the compliance of financial and non-financial entities: the “Know Your Risks” (KYR) obligation.

The need for an effective AML/CFT compliance and monitoring system for financial institutions is even more essential as regulators are also increasingly vigilant and repressive. Beyond the FinCen Files, regulators have sanctioned 18 of the 20 largest European banks for failure to comply with their respective obligations, sometimes with financial penalties of several billion Euros.

“Dirty" money is increasingly difficult to detect

The risk of BC/FT for financial institutions is even higher as "dirty" money is harder to detect, and national judicial systems struggle to confiscate it. 

Europol indicated in different reports published in 2016 and 2017 that only 1.1% of criminal profits has been ultimately confiscated at the EU level between 2010 and 2014, and about 1% of the EU's annual gross domestic product (€13 trillion in 2020) has been "identified as being involved in suspicious financial activity." 

Meanwhile, the United Nations Office on Drugs and Crime (UNODC), estimated in its October 2011 report on the estimation of illicit financial flows resulting from transnational organized crime that less than 1% of global illicit financial flows is seized and frozen annually. 

The analysis of judicial decisions is particularly instructive. An unfortunately large number of countries display an absence or a trivial number of final convictions (including confiscations of criminal assets). This is true although many of these countries have implemented an AML/CFT framework seemingly in line with international requirements for several years and despite the significant number of investigations they have opened. In Europe, according to a 2017 Europol report ("From suspicion to action: converting financial intelligence into greater operational impact"), only "10% of suspicious transaction reports are thoroughly investigated after filling, a figure unchanged since 2006."

The risk-based approach and the need to know and control risks

The new requirement to adopt a risk-based approach, centered on identifying and assessing specific AML/CFT risks and on taking effective measures to mitigate them, represents a new step for compliance officers at reporting entities.

One of the goals of the 2020 and 2021 U.S. laws is to strengthen and codify this risk-based approach to AML/CFT. This includes the following requirements:

• providing reports or records that are useful in assessing risk;
• implementing a "reasonably designed risk management system;
• and assessing money laundering, terrorist financing, tax evasion, and fraud risks for financial institutions to protect the financial system from abuse.

The new European Union directive of July 20, 2021 aims to harmonize and strengthen the convergence in the application of AML/CFT rules (establishment of a single set of rules throughout the European Union), among its member countries. It specifies that the harmonization of the risk-based supervisory approach will be achieved through the use of a common risk categorization tool to avoid any divergence in the understanding of risks in comparable settings.

Risks are increasingly complex to understand due to new financial technologies

Indeed, while the approach is not different from a standard risk assessment methodology (i.e., successive processes of risk identification, assessment, monitoring, management, and mitigation), the inherent money laundering risks of each of the reporting entities must be properly identified, with the in-depth and continuous knowledge of the various ML/FT methodologies and their evolution. As the European Union has now integrated its financial system, the impact of new means of payment and fund transfers (e.g., cryptocurrencies, NTF, prepaid cards), represents a major challenge and an extremely high risk of use for ML/FT purposes. This risk has already been highlighted in typological studies. The regulation of these new means of payment is still poorly developed, while the technical and technological aspects are evolving very quickly, eluding both the public and the regulators. Yet, crypto-currencies play a more ambiguous role here: while their appearance has generated an ad hoc financial system that is often poorly controlled and therefore carries risks, they also generate audit trails that are useful if computers are seized by law enforcement agencies for investigations. 

The assessment by a financial institution must take into account the Key Risk Indicators (KRIs) related to its customers, the countries or geographical areas in which it operates, its products or services, its transactions, as well as its distribution channels, as detailed in the explanatory note of the same first FATF recommendation. Internal policies, controls, and procedures must enable reporting entities to effectively manage and mitigate their identified risks, the level of which varies according to the nature and volume of their activity.

It is therefore essential for compliance departments to have mechanisms in place to properly identify the risks they are likely to face and to manage them by taking appropriate measures for their effective mitigation. Although there is no such thing as “zero risk”, but demonstrating a willingness to implement to the extent required by the law is likely to mitigate the risk associated with potential lawsuits and sanctions, and more generally protect financial institutions from serious consequences.

The use of digital technologies makes it possible to build risk assessment models. 

The traditional approach to risk management consists of a behavioral analysis of clients and transactions, based on the existence of predefined rules validated by the regulator. This approach has the merit of transparency but suffers from various problems. For example, it is relatively easy to structure transactions to circumvent the most traditional rules. Furthermore, this approach generates a very high number of false positives (often more than 90%). It is commonly based on old software that does not have machine learning capabilities. As a result, compliance departments deal with the same case repeatedly and financial institutions ask clients the same thing multiple times. Beyond the financial cost and the degradation of the customer relationship, these false alerts make it more difficult for compliance officers to discover the truly problematic cases. 

An approach based on artificial intelligence algorithms (or more descriptively on machine learning) offers interesting possibilities. These tools can help compliance officers, and generate alerts more dynamically through automated first-level analysis. This allows compliance departments to focus on the most problematic cases using specialist judgment. For example, graph analysis tools can detect relationships between customers that are not obvious at first glance. Other tools allow for better contextualization of customers by creating automatic segmentations. Different techniques allow the identification of anomalies in large datasets. Broadly speaking, these tools allow dynamic risk scoring thanks to their learning capacity. It becomes more difficult for individuals involved in money laundering or terrorist financing activities to avoid detection than with static rules. 

However, like any technology, machine learning suffers from limitations. Perhaps the most important one is the lack of transparency. At the process level, these tools are based on mathematical concepts that can be difficult to explain to people who do not have this expertise. At the individual decision’s level, the most sophisticated models can produce results that are difficult to understand, even by specialists. Moreover, these models often require large amounts of data that are properly validated and free of bias. This can be problematic. For example, regulators are often silent on the outcome of a Suspicious Activity Report (SAR), making it difficult to classify a decision as correct or not. 

In sum, an AML/CFT approach grounded in a risk-based framework appears promising in many respects and, in any case, is becoming a legal requirement. However, this approach requires a reform of the procedures put in place by compliance departments. This evolution will require new tools where machine learning-based solutions will have their place. At least in the medium run, an approach combining these statistical tools with behavioral analysis and especially with the expertise of compliance professionals will offer a higher quality of analysis. IT tools that enable this integration are currently emerging.

By 

André Cuisset, AML/CFT Consultant, UNODC and European Union external expert, IFPF and Cercle de la Gouvernance expert

Francis Hounnongandji, Certified Fraud Examiner, Chartered Financial Analyst, President of the French Institute for Fraud Prevention (IFPF)

Gilles Hilary, Professor at Georgetown University and Associate Researcher at the Research Center of the Gendarmerie National Officers School (CREOGN, France).