This article originally appeared in the January/February 2024 issue of ABA Risk and Compliance, by Juan Zarate and Sarah Watson. Reproduced with permission. © 2023 The American Bankers Association.
The landscape of financial crimes is constantly evolving, and the concept of transparency is being fundamentally challenged. A dynamic, innovative approach is imperative to preserve and shape the future of financial integrity.
The ongoing pursuit of financial transparency has long been the cornerstone of regulatory demands and compliance efforts both in the U.S. and worldwide. However, in a rapidly changing risk landscape, marked by heightened national economic security concerns and a shifting geopolitical landscape, the need for transformative strategies to ensure transparency in the fight against financial crimes has never been more evident.
Historically and importantly, regulatory debates regarding more transparency in the U.S. financial system have often swirled around corporate beneficial ownership requirements and mechanisms. Yet there is a much larger shift underway globally–driven by digital and decentralized payment systems, new technologies, and increased expectations—which places stress on the conception and limits of transparency. The call for transparency in the financial and commercial system is amplified by the deepening reliance on sanctions as a tool of national security, increased scrutiny of inbound and outbound investments, stringent export controls, and intensified anti-kleptocracy measures.
Absent a broader view of and response to these 21st century challenges of transparency, banks, regulators, and other key stakeholders will find themselves caught in outdated 20th century debates and will struggle to meet the preventative policy goals of the anti-money laundering system.
This article delves into the heart of these challenges and explores how new thinking, technologies, and approaches can strengthen transparency and enable financial integrity.
The Beneficial Ownership Database and the Risk-Based Approach
On December 15, 2022, the Financial Crimes Enforcement Network (FinCEN) released a notice of proposed rulemaking governing access to the forthcoming database of corporate beneficial ownership information created under the Corporate Transparency Act, the reporting rule proposal.[1] However, the proposed reporting rule envisions that financial institutions (FIs) will have limited, case-specific access to the database to facilitate compliance with customer due diligence (CDD) rule requirements. Additionally, FinCEN has not yet released proposals—required under the AML Act of 2020—for revisions to the 2016 CDD Rule that would specify how FIs may or should integrate the database into their CDD programs. Without this revision, and any final rule governing FIs’ access to this database, many questions remain for banks, other FIs, and their customers. The final form of both rules will eventually determine how, and the extent to which, banks and other FIs consult the database and use any information it contains.
Industry stakeholders, including the ABA, have lobbied for changes to the access rule (as well as the ability to share information with foreign branches and subsidiaries) and have criticized the proposed restrictions as making the database “effectively . . . useless.”[2] Bankers have similarly pushed for rule changes that allow FIs to rely on information in the database as part of broader BSA, sanctions and anti-illicit finance work.[3] The industry’s position has been clear: the database should become the primary source of beneficial ownership information. The demand for a “one-stop shop” is driven by FIs’ need for efficiency, finality, and a safe harbor in a complex information and compliance environment. On the other hand, FinCEN and other government stakeholders have argued that allowing FIs to rely on the database poses the risk of creating a single point of failure. Additionally, allowing FIs broad access could potentially expose private information unnecessarily.[4]
The ongoing debate over access to the beneficial ownership database is only the latest salvo in a multi-decade battle over the types of information FIs must collect on their customers. Beginning with the passage of the original Bank Secrecy Act laws in 1970, the goal of the expanding U.S. and global financial integrity architecture has ultimately been to achieve a measure of transparency into financial transactions: to ensure that FIs, and as necessary, law enforcement agencies and other public authorities, have a clear line of sight into suspect transactions and the individuals who carry them out. Transparency in this context does not mean public, or fully exposed. Instead, financial transparency is inextricably linked to considerations of privacy, access, and privilege—and ultimately risk management. The objective is to ensure that those who need to know the underlying nature of ownership, interests, and transactional relationships, can know, while protecting financial data to the greatest possible extent from those who do not need to know.
Over the last twenty years, U.S. regulatory authorities and the financial industry have arrived at a relatively stable consensus as to the overarching framework for achieving financial transparency: the risk-based approach (RBA). Under the RBA, each FI is responsible for managing its own risk: collecting the legally required data available to it and analyzing that information to fulfill its responsibilities under the BSA. Conversely, it is the responsibility of FinCEN and law enforcement agencies to bridge the gaps between the balkanized viewpoints of individual FIs and connect them into a coherent end-to-end view of a transaction or network of concern.
While the end state may be firmly established, this does not mean that government and industry always agree as to how responsibility for ensuring transparency (and the costs that go with it) should be apportioned. The debate over the CTA is a case in point. It isn’t always clear who is ultimately responsible for risk management, especially when parties enter into complex arrangements to deliver financial services.
One example is the ongoing debate within the consortium of banks that participate in the Zelle payment transfer platform over the appropriate response to scam transactions.[5] Another example is the risk management concerns and lack of trust that have long prompted U.S. banks to avoid or restrict even U.S. money services businesses operating in higher-risk geographies[6] despite efforts by the U.S. government to ensure access.[7]
While acknowledging the merits of the RBA, it’s worth considering whether, given recent developments in the international financial system and global politics, a more innovative and forward-thinking perspective could complement and enhance its effectiveness without fundamentally altering its core principles. Emerging trends are reshaping the landscape, offering both peril and an opportunity for creative risk management.
Growing Pressures on Transparency
The concept and application of transparency to manage financial crime risk is coming under pressure from a host of trends that undermine the assumptions on which the current system is based. Together, they are creating a world that demands entirely new ways of thinking about financial transparency.
Complexity and Disintermediation of the Payment System
A systemic challenge to transparency is the increasing diversity and complexity of global financial systems. Even as the U.S. banking sector appears set for a wave of consolidation, U.S. FIs, particularly banks, are engaging with an increasingly fractured commercial and consumer financial system while still remaining the primary focus of payment transparency for regulators. Consumers and even businesses are placing increasing reliance on peer-to-peer payments apps to conduct daily transactions. For example, payments using Zelle were up 31 percent in the first quarter of 2023,[8] while electronic payments overall increased 19 percent in 2021.[9]
Electronic payments, particularly those facilitated by payment processors and other non-traditional partners, offer customers convenience and ease of access. Thanks to the growth of online marketplaces like Amazon, payment intermediaries are increasingly involved in the types of cross-border payment activity that would once have required bank-to-bank wires, or even letters of credit.
New payment methods, and the commercial arrangements necessary to support them, pose transparency challenges for all actors in the system, particularly banks. Customer use of new payment methods almost always results in a certain level of payment disintermediation, interposing layers of intermediaries and technological solutions between the bank and the ultimate originator or beneficiary. This makes it more difficult for banks to understand the transactions processed through their accounts and systems.
The booming fintech sector and the persistent (if diminished) presence of crypto-related transactions through the traditional financial system, expose banks to a dizzying array of partners and new forms of payment or settlement. This expansion extends a traditional financial institution’s sector and geographic risk exposure in ways that may be opaque. As a result, banks may ultimately be providing services to customers outside of their risk appetite, or act as a link in a chain of transactions that either originates or terminates in a country where they would not ordinarily engage in business.
The ability of banks to maintain the transparency of transaction chains in which they play a part, is likely to be limited by:
- Technological limitations on their partners’ ability to pass on data;
- Local data-privacy regimes;
- Contractual limitations on what a partner is required to share; or
- A failure or error on the part of a partner somewhere along the chain.
The risk is magnified by the different regulatory regimes applied to bank and non-bank FIs (NBFIs). The Wolfsberg Group, which produces the standard inter-bank questionnaire used in correspondent due diligence, has left it up to banks whether or not to use the questionnaire for payment service providers and other NBFIs, even though such entities may access to the correspondent’s accounts that is equal to, or greater than, a bank respondent.[10] The varying strength and effectiveness of international supervisory regimes adds a further layer of complexity.
At the same time, the compliance and enforcement environment is only becoming more complex, with:
- The increase in U.S., European Union, United Kingdom, and other national sanctions following the Russian invasion of Ukraine;
- A growing portfolio of export controls managed by the Commerce Department’s Bureau of Industry and Security (BIS), along with greater scrutiny of supply chains; and
- The use of sanctions to deter illicit activity and sanctions evasion in entire sectors, such as shipping and maritime trade.
Many sanctions and export prohibition programs are aimed at large, complex economies or regional sanctions evasions networks with deep roots in non-sanctioned countries. The enforcement focus on sanctions evasion puts a premium on understanding ownership and control interests, counterparty risks and exposure, and financial criminal behavior and facilitation intended to avoid sanctions scrutiny.
The growing blend of sophisticated licit and illicit trade–from pharmaceuticals to dual-use technologies—also presents challenges of risk management. Broad de-risking, which banks have historically employed bluntly to shield themselves from high-risk geographies, may not be a feasible or popular approach given that the jurisdictions or regions with rising risk profiles—such as China and Gulf countries—are also major centers of trade and commerce, where many global banks have established branches and investors remain attracted. Licit and illicit commerce are sometimes closely intertwined within these large and complex economies. As a result, U.S. FIs with exposure to these regions–especially through partners–may be reluctant to de-risk and instead choose to rely ever more heavily on partners’ opaque controls.
The Flood of Data and Rise of Artificial Intelligence
Transparency is also challenged by the rising tide of data in combination with new technologies that threaten to overwhelm FIs’ traditional analytic approaches. Partly as a result of the switch to digital payments, which has reduced reliance on cash and checks, FIs have access to increasing quantities of data on their customers. This includes not just transactional data, which can be more easily harvested from digital transactions, but also data on customers’ public profiles, activities, and reputation. Customer data may be sourced from FIs’ own proprietary databases or those created by third parties; from traditional public sources, such as government databases or the legacy media; and now, from nontraditional media sources and peer-generated platforms like LinkedIn. This access to unprecedented quantities of data holds out the promise of greater transparency through improved understanding of the customer, the customer’s relevant behavior, and the customer’s counterparties. But it also creates a challenge of validation: how can banks distinguish useful data from that which does not provide increased understanding or insight or that is ultimately not trustworthy, and how can they do so efficiently, effectively, and at speed?
The problem of too much data—or too much unreliable data—can extend from retail identity authentications to complex due diligence and investigations on high-risk clients. At one end of the spectrum are fraudsters who use stolen data to create synthetic identities, using a combination of real and fictitious data to create imaginary people and, in some cases, to leverage and exploit banks’ reliance on credit bureaus for identity verification. At the other end is the challenge of judging the reputational and financial crime risks posed by a high-net-worth client who may be the subject of a mix of gossip, speculation, and investigative reporting, all playing out in traditional and new media sources.
Banks could simply stick with tried and trusted sources:
- Relying on credit bureaus to distinguish real individuals from false identities;
- Using traditional curated vendor databases, rather than simply standard search engines, to conduct negative news checks; or
- Waiting to exit a customer dogged by allegations of corruption or financial improprieties until the individual has actually been indicted.
But if banks choose this route, they must realize that hindsight always seems to curate negative news. Institutions should be prepared to face questions from their regulators, the media, and the public—all of which have access to other sources of information that the bank has chosen to disregard—as to why the bank ignored the supposedly “obvious.” The enforcement actions,[11] legal repercussions,[12] and negative media attention[13] for banks that offered services to Jeffrey Epstein are a case in point.
Recent developments in artificial intelligence (AI) promise to further upset the calculus for banks, amplifying questions as to what data is real and which customers or transactions can be authenticated. AI-powered chatbots[14] can spell-check phishing emails, making them more convincing; those that have been designed to operate without guardrails can go further and create entire phishing campaigns,[15] potentially increasing risks of scams targeting bank customers or banks themselves. Such chatbots are already being used by legitimate media organizations to create content,[16] and researchers have shown that even widely available, ethically trained models can easily be used to create “fake news” based on false data or conspiracy theories.[17] The advent of generative AI amplifies the potential for fraudsters to mimic legitimate customer behavior and to sharpen social engineering campaigns. Such capabilities may make AI a dangerous accelerant in the disinformation campaigns of the future, making it even harder to know whether you can trust what you read online or from whom you are reading it.
But AI may also be one of the main tools banks have to analyze and extract value from the new information universe, not only detecting fraud attacks but analyzing sentiment on social media or producing summaries of complex corporate filings to help identify beneficial owners. Technology vendors already applying AI can more readily scrape negative news and help refine risk ratings and considerations. And AI holds the promise of more predictive analysis of fraudulent or criminal financial behavior, with access to more validated data.
The Limits of Risk Management and Reliance
Despite the RBA’s traditional emphasis on individual institutions managing their own risk, FIs operating in the current environment perforce must participate to a certain extent in shared risk management. They must frequently rely on a partner with whom they have an arms-length relationship to protect them from the risk to which that partner exposes them. Banks may see only half of a transaction, or the transaction may be entirely obscured in batch transfers. A bank can conduct due diligence on a partner or FI customer, but they don’t generally have access to the kind of detailed internal information that would allow them to truly assess the strengths and weaknesses of their counterparty’s compliance program.
On a global scale, nation-states face the same challenges: national governments have come to realize that the integrity of their own financial system depends in part on efforts of partner governments. At the same time, even the best-run banks struggle to eliminate or control risk that penetrates the system due to lapses—or over-reaction—by a single lax jurisdiction. The crackdown in China on due diligence and information gathering or sharing, especially by Western companies, underscores dramatically the growing murkiness in major authoritarian economies. As a result, the promise of transparency too often proves illusory, with the trail running cold at national boundaries or disappearing when one FI in a payment chain fails to attain adequate visibility into its own portion of the transaction.
The stresses facing the traditional model of transparency call into question the long-term viability of this approach. In response, governments and the private sector have taken some steps to shift the paradigm from an institution-based risk management model to a collective one. They are harnessing the considerable potential for innovation in collaborative risk management, both within the industry and via public-private partnerships (PPPs) and similar cooperative arrangements. The benefits of sharing the burden and even the costs of discovering and managing risks have driven a growing market demand for collaboration.
Globally, financial sector stakeholders are demonstrating their desire for collaboration and are working with governments to develop rules of the road to enable them to work together while respecting privacy and confidentiality. In the Netherlands, a suspicious activity monitoring cooperative founded by five Dutch banks draws on transactional data from all five participants. This collaborative approach enables the development of monitoring insights that would not be achievable using data from a single bank alone. Additionally, shared teams collaborate to develop common monitoring rules based on the pooled data.[18] In Canada, major domestic banks have collaborated with FINTRAC, the Canadian FIU, to combat human trafficking[19] and child sexual exploitation[20] by developing and disseminating transactional red flags for these crimes. Just this summer, three major Spanish banks announced a new joint venture that will create a stand-alone entity, FrauDfense, that they hope will eventually allow them to unify their counter-fraud efforts, with the first phase of the project being information-sharing on fraud typologies.[21] In the United States several large banks have begun leveraging 314(b) information-sharing provisions to pool data and conduct collaborative investigations of targets flagged by law enforcement agencies.[22] There will be more attempts to pierce the veil of opaque payments and transactions through collaborative models and exchanges.
Innovation to Address and Restore Transparency
These efforts are an important start, but they will not be sufficient to achieve and maintain transparency across the financial system. Transparency, and by extension, financial integrity, necessitates a more extensive and comprehensive approach to information sharing. It may even entail rethinking the very concept of information sharing itself.
Where possible, information can be shared directly, using trusted platforms that allow all participants to extract maximum benefit from collaboration while integrating as much as possible with their own native systems. Public authorities should lean forward to share some elements of risk management by creating new forms of operational public-private partnerships. In the context of cyber security, and drawing inspiration from the Financial Services Information Sharing and Analysis Center (FS-ISAC), such models could include more proactive sharing of real-time risks and monitoring of transactions in high-risk corridors or jurisdictions. Innovative PPPs could help solve some of the transparency issues of concern.
Where such direct sharing is prohibited by legal barriers, national borders, or privacy concerns, we should develop new information-sharing arrangements, systems, or platforms that allow for knowledge to be shared without actual movement of data. Federated learning provides an elegant solution to allow for the sharing of insights regarding financial crime risk, without ever having to move, extract, or share data. This technology allows for the training of models to discover anomalous behavior on multiple data sets—between institutions and even across borders—without requiring the FIs involved to actually disclose, extract, or move data to other participants.[23] The ongoing federated learning capabilities of companies like Consilient and Intel[24] and the recent announcements by Azure and SWIFT[25] and the BIS Innovation Hub[26] regarding their exploration of federated learning in the financial integrity space, highlight the potential of this technology and approach.
In the realm of digital ID, new technologies and triangulation of features of identity hold out the promise of eliminating much of the friction involved in basic identity verification and concerns about the authentication of identity online.[27] A widespread and effective digital ID system could combat synthetic identifies, reduce costs for FIs, and expand consumer access to financial services. Although forms of digital ID vary wildly, decentralized or tokenized digital ID, which allows for validation of customer identities while keeping customer data itself private, may be particularly appropriate for the financial sector and the need to consider data privacy laws and different national identity regimes.[28] Combined with new crypto-analytic capabilities to track on-chain transactions, new technologies to identify and validate account holders and counterparties in payment chains can help improve visibility in the digital world.
Closing Thoughts
The intertwined demands of risk management, financial integrity, and national security place a premium on strengthening a new version of transparency. Ultimately, the financial industry, regulators and key stakeholders must ensure that they can effectively manage their financial crime risk, which requires in the first instance the basic blocking and tackling of customer due diligence. Appropriate and effective implementation of the FinCEN beneficial ownership database is no doubt an important step in facilitating this risk management and the further development of the U.S. AML system. But we must recognize that this is but one step in a dynamic journey. This alone will not be enough to safeguard and ensure transparency in the financial system.
No matter the ultimate rules governing FI access, the creation of such databases across the world will remain important but not sufficient. Centrally maintained databases will ultimately form part of a risk management system that is under stress and an AML/CFT system that, without further innovation, will be less and less able to prevent financial crime. Given that the very foundations of transparency and security are evolving at an unprecedented pace, such traditional efforts and rules may ultimately be seen as outdated projects before they are even completed.
An effective approach to financial integrity must constantly evolve, harnessing innovative technologies and strategies to stay ahead of increasingly sophisticated financial criminals. In evolving and adapting to achieve transparency, we can build a system where financial crimes are not only detected but prevented. This long-stated policy goal requires the collective and unified efforts of all stakeholders in the financial system to ensure a commitment to discover and manage financial crime risk preventatively. In a world where transparency is being challenged fundamentally, the prevention of financial crime requires dynamic collaboration, constant innovation, and shared risk management. In this way, transparency ultimately can be renewed and restored to help protect the integrity of the financial system.
[1] www.federalregister.gov/documents/2022/12/16/2022-27031/beneficial-ownership-information-access-and-safeguards-and-use-of-fincen-identifiers-for-entities
[2] www.aba.com/advocacy/policy-analysis/joint-letter-to-fincen-on-boi-access
[3] https://www.aba.com/-/media/documents/testimonies-and-speeches/testimony-of-pete-selenke-on-behalf-of-aba-071823.pdf?rev=118205bd0ac34941b6a995befc6dd4d1
[4] https://www.fincen.gov/sites/default/files/2023-04/HHRG-118-HFSC-DasH-20230427.pdf
[5] https://www.wsj.com/articles/small-banks-warn-they-might-have-to-drop-zelle-over-scam-payment-costs-11670849934
[6] https://www.gao.gov/assets/gao-22-104792.pdf
[7] https://home.treasury.gov/news/press-releases/jy1438
[8] https://www.americanbanker.com/payments/news/zelles-first-quarter-transaction-volume-rises-31-year-over-year
[9] https://www.mckinsey.com/~/media/mckinsey/industries/financial%20services/our%20insights/the%202022%20mckinsey%20global%20payments%20report/the-2022-mckinsey-global-payments-report.pdf
[10] https://db.wolfsberg-group.org/assets/431f9f38-d56d-426d-b929-620371131654/Wolfsberg%20Correspondent%20Banking%20Principles%202022.pdf
[11] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007071
[12] https://www.theguardian.com/us-news/2023/jun/26/jpmorgan-jeffrey-epstein-settlement-lawsuit-victims
[13] https://www.nytimes.com/2023/06/19/business/jeffrey-epstein-jpmorgan.html
[14] https://www.theguardian.com/technology/2023/mar/29/ai-chatbots-making-it-harder-to-spot-phishing-emails-say-experts
[15] https://www.bleepingcomputer.com/news/security/cybercriminals-train-ai-chatbots-for-phishing-malware-attacks/
[16] https://www.vox.com/technology/2023/7/18/23798164/gizmodo-ai-g-o-bot-stories-jalopnik-av-club-peter-kafka-media-column
[17] https://www.nytimes.com/2023/02/08/technology/ai-chatbots-disinformation.html
[19] https://fintrac-canafe.canada.ca/emplo/project-projet/psr-eng.pdf
[20] https://fintrac-canafe.canada.ca/intel/operation/exploitation-eng
[21] https://www.occrp.org/en/daily/17897-leading-spanish-banks-launch-fraud-prevention-platform
[22] https://www.moneylaundering.com/news/large-us-banks-sharing-financial-intelligence-through-private-exchange/
[23] https://finreglab.org/ai-machine-learning/federated-machine-learning/
[24] https://www.intel.com/content/dam/www/central-libraries/us/en/documents/consilient-whitepaper.pdf
[25] https://customers.microsoft.com/en-au/story/1637929534319366070-swift-banking-capital-markets-azure-machine-learning
[26] https://www.bis.org/publ/othp66.pdf
[27] https://www.fatf-gafi.org/content/dam/fatf-gafi/brochures/Digital-ID-in-brief.pdf
[28] https://www3.weforum.org/docs/WEF_Reimagining_Digital_ID_2023.pdf