In the USA, the Federal Financial Institutions Examination Council (FFIEC) is clearly concerned about these growing AML challenges. Take trade finance, for example: in an AML/Bank Secrecy Act manual, the FFIEC warns that the international trade system poses "a wide range of risks and vulnerabilities that provide criminal organisations with the opportunity to launder the proceeds of crime..." Indeed, the involvement of multiple parties in any international trade transaction can impede due diligence, with trade finance's continued use of hard-copy filings increasing the risk of documentary fraud linked to ML, terrorist financing (TF) and sanctions busting. [2]

Legal force

It was for such a complex set of assessments that the risk-based approach was developed by the Financial Action Task Force (FATF), and USA financial intelligence unit (FIU) FinCEN, working with major financial regulators, in June [2024] released updated AML/CFT rules to require risk checks by financial institutions. Based on compliance with the 2020 Anti-Money Laundering Act (AMLA), proposals developed with the Office of the Comptroller of the Currency (OCC), the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) require financial institutions to establish risk-based AML/CFT programmes, taking FinCEN's national AML/CFT priorities into account. [3] A joint note from these agencies said: "It is expected that in doing so, financial institutions would implement more effective, risk-based, and reasonably designed AML/CFT programmes that can better address law enforcement and national security needs..." [4]

In a podcast posted by US-based law firm Ballard Spahr, Nick St John, director of federal compliance at industry group America's Credit Unions [5], stressed: "Until now there was no regulatory requirement to do a risk assessment but this was generally viewed as best practice." However, he had some concerns about the amount of flexibility in the rule regarding how financial institutions (FIs) should conduct AML/CFT risk assessments: "It gives some guidance on the content" to consider products, services, geographical locations, customers and intermediary distribution channels "but they really don't give much guidance on the process that an institution should follow when doing this risk assessment". And while US credit unions may not want a detailed, prescriptive rule, some guidance on preferred methods, and especially on what not to do, would be welcome, said St John.

That said, an example of the practical application of risk-based assessments had been provided in a FinCEN/USA department of commerce report, issued in November 2023, on import-export controls. It highlighted red flags that should raise ML or TF concern among trading companies and associated FIs. That includes purchases under a letter of credit consigned to the issuing bank, not actual end-users; documents indicating trading entities have little or no web presence; customers declaring phone numbers with country codes that do not match a trade's destination country; and more. [6]

Down the line

US regulators have certainly underlined the importance of third-party screening controls to FIs. For instance, the OCC, in January [2024], ordered Blue Ridge Bank, of Virginia, to follow a written programme "to effectively assess and manage the risks posed by third-party relationships", including that it evaluate the AML risks of each third-party relationship, and how these business partners themselves assess their BSA-related risks. Specifically, the OCC ordered that for the time being, the bank cannot sign any fintech contract, unless it is approved by the regulator. The OCC acted after finding the bank had engaged "in unsafe or unsound practices, including those related to BSA/AML..." [7]

Another USA order, from the FDIC, also in January [2024], ordered another bank - Sutton Bank, of Ohio - to compile a complete inventory of its third-party relationships, including related AML/CFT compliance procedures, transaction monitoring and reporting suspicious activity. Ongoing monitoring of third-party suppliers was ordered to ensure the bank complies with US AML/CFT laws. This ruling also insists that the bank's onboarding of new accounts in existing third-party fintech relationships follows BSA/AML requirements. And Sutton Bank had to undertake due diligence and ongoing monitoring of third parties who complete AML/CFT services for the bank. [8]

IT support

Technological solutions for such risk management are increasingly available, for instance ACAMS' 'Risk Assessment' software-as-a-service system, designed to give FIs "a comprehensive and automated means of measuring, understanding, and explaining their money laundering risk". ACAMS says its service is available for smaller banks and credit unions up to global financial institutions; investment and security firms; and money service businesses (MSBs), including those offering virtual asset products and services. [9]

Pittsburgh, USA-based Innovative Systems offers another AML risk assessment system FinScan, which incorporates scoring that assigns ratings to each risk factor, such as business sector, customer demographics, products/services, delivery channels, geographic locations, transaction monitoring alerts and watchlist screening results, based on its significance, likelihood and potential impact: "This aids in prioritising risks and allocating resources effectively. Include both qualitative and quantitative factors in the scoring process," said a note from Steve Marshall, director for FinScan Advisory Services. Resulting actions may include enhanced customer due diligence (EDD), transaction monitoring, sanctions screening, staff training, better internal controls and governance improvements, he said. [10]

Saudi Arabia-based AML tech supplier Focal has stressed that fintechs need to invest in AML to protect themselves and their clients from illicit fund flows. One advantage for such firms is their access to data when assessing ML risk. They can leverage digital identity verification technologies, "including biometrics and facial recognition, to establish the authenticity of customer identities and mitigate identity theft risks," said Focal. It advises fintechs to integrate this with transactional data, customer information and external risk factors, using advanced AI and machine learning-based "analytics [to] identify complex relationships and hidden connections..." Focal offers a risk-based platform with such comprehensive services, it claims. [11]

Learning from experience

Academics also recommend such proactivity. A 2023 paper in the Journal of Digital Banking warned that given the "limited guidance provided by regulators on incorporating fintech into financial institution operations", FIs need to be proactive in learning from published regulatory orders to improve their risk management programmes. It also warns FI to beware potential risk assessment errors caused by fintechs, "such as overborrowing (excessive lending to clients without proper risk checks), bias and discrimination in algorithms", plus data privacy breaches and unreliability. The paper "emphasises the importance of compliance professionals in analysing regulatory considerations early and creatively to meet future demands". [12]

An August 2024 paper in the journal Digital Policy, Regulation and Governance - using Nigeria as a case study - said that in emerging markets, especially, the growth of fintech has "induced money laundering..." The reason is poor regulation, and the paper recommends that policy-makers and FIs create and follow robust AML regulation for fintech services, rather than relying on growing financial literacy to detect illicit money flows in these systems. [13]

And a 2024 paper from the Vilnius Gediminas Technical University, Lithuania, stresses that fintech is attractive to launderers "due to the proliferation of these systems for transaction initiation, unlimited cash flow and anonymous accounts for transaction purposes". It recommends researchers use mathematical models to assess the vulnerability of specific jurisdictions to fintech ML to assess risk. Methods include using TOPSIS calculations assessing proximity to an ideal system; EDAS assessments using decision-making variables and random parameters; and SAW methods investigating a weighted sum of ratings for each alternative solution. [14]

Banks are central

Even if this advice is taken and fintechs raise their AML/CFT game, the growth in financial network complexity is currently strengthening the role of traditional FIs such as banks in AML/CFT according to the International Monetary Fund (IMF). The reason is that "banks continue to be the main intermediary through which illicit funds flow", said a background paper for the IMF's 2023 review of its AML/CFT policies. Moreover, banks remain attractive for ML because of their global reach via branches and subsidiaries, broad product range (including correspondent banking and trade finance), competitive customer fees and high transaction speeds. [15]

If these hubs succeed in AML/CFT then it is not just their institution that is protected from illicit fund flows, but the entire financial eco-system in which they operate. That is why transaction monitoring service providers such as Singapore-based Flagright stresses the value of network assessments for AML/CFT in this new world of financial complexity.

In an October 2023 paper, it said by providing visual and analytical representation of financial transactions, including by graphs, network analysis "allows investigators to identify patterns, links, and anomalies that might otherwise go unnoticed in a vast sea of data".

Mapping time and space

Key components of such work include 'nodes' that can represent individual account holders, a corporation, bank or other financial institution; these are linked to 'edges' - connections or interactions between nodes - it might be a transaction, contract or other exchange of value; and these assessments also examine 'attributes', linked to either nodes or edges - essentially additional information, such as account balances, type, country of registration (nodes), and transaction amounts, date or type (edges).

Integrate and assess these data points, and useful and actionable AML/CFT intelligence can emerge, said Flagright, for instance suspicious transaction patterns; complex AML schemes; shell companies and phantom entities; repeat offenders; and EDD. The breadth of such data also strengthens temporal analysis: "Money launderers might opt for transactions during off-peak hours, or in quick succession to confuse automated tracking systems," noted Flagright. [16] With AI-based systems being developed apace, the ability of monitoring systems to deliver more intelligence on financial eco-systems is strengthening. Corey Anne Bloom, partner and eastern Canada leader, forensics, fraud risk management and litigation support services, for major Canadian accounting firm MNP, told an Association of Certified Fraud Examiners (ACFE) conference in Ottawa in October [2024]: "Technology can help us." That includes for organisations with small staffing levels: "Technology it can help us work faster with fewer people," said Bloom, including for financial crime involving "collusion, which is always harder to detect than people working alone". With larger organisations and networks, geographical analysis can help deliver intelligence, aided by visualisation services, which can be dynamic offering real-time displays, she said.

This capacity-building can be truly relevant for financial institutions, with St John stressing that in the USA, 45% of credit unions have 10 or fewer employers. Therefore, FinCEN's new requirement to stage AML/CFT risk assessments "could affect those smaller institutions - they may have only one person who handles BSA on staff and they weren't doing risk assessments and now they're going to have to start...," he stressed.