Upon leaving his position as Europol’s Director in 2018, Rob Wainwright said:
“We have identified 400 top money launderers who are running billions through the European banking system with a 99% success rate.”
It’s unlikely this has changed in the last six years. The statement, almost comedic in its frankness given the international effort lavished on AML regulation over the last 35 years, begs a big question; Why is it apparently so easy for them?
I’d like to suggest that one reason may be the over-emphasised focus on blacklist, greylist, PEP, adverse media and jurisdictional screening as a supposed means of preventing “bad actors” from entering the financial system.
Think about it. Say you are a professional launderer for the Russian mob (or whoever). Your clients know where your daughter goes to school, so Rule 1 for you must be that you don’t go anywhere near anyone or anything which is going to blink red on a sanctions, PEPs and adverse media screening tool. Likewise, wherever you can, you’ll try to avoid having anything to do with the ‘high–risk jurisdictions’ which are being monitored so closely.
So, you’re going down the lower risk jurisdiction route and, for greater volume, you’ll need to use “legitimate businesses”. Next quandary – acquire an existing, genuine business and use it as a front company? Or create something out of nothing and make it look real enough to fool the system? There are pros and cons to both.
Genuine businesses being used as fronts have no difficulty in providing a footprint of normality because that’s what they are – normal, legitimate businesses. Put one or two people you can trust/control in key positions and they can provide powerful engines for laundering, particularly in the import/export space where transaction volumes and frequency help make price and shipment manipulation difficult to detect.
But trying to use genuine businesses for laundering in so-called lower risk countries has its own complications. Employees in the UK, France, the US, Singapore etc may be concerned about losing their jobs if they blow the whistle on something suspicious, but they’re not usually concerned about being poisoned or thrown out of a window. All it takes is one nosy-parker to notice the strange new customers and suppliers, the trebling of volumes and the generous pay-rises awarded to all the staff and to report it, and you have a problem.
It may be better to take a new or newish company operating in a stock/inventory–free sector such as business services, consulting or software development. Having sailed through the rudimentary questions which most banks ask about companies in the SME space during onboarding, and taken care to ignite all the green lights in the adverse screening process (nothing to see here…), you’re then free to start selling and buying services to and from a range of “clients” and outsourced service–providers, many of whom may have profiles similar to your own company – few staff, premises in serviced offices, minimal web presence, little or no discernible marketing activity. By increasing the account turnover at a suitably rapid pace (these are high growth sectors, after all), but not one that is suspicion-inducing, by the time your bank’s transaction surveillance system spots anything anomalous (if it ever does), you could have laundered quite a bit and moved on.
We should be identifying these types of companies and scrutinizing them more closely before they are allowed into the system. But many banks take a minimalist approach during onboarding, trusting that their surveillance systems will pick up any trouble as and when it occurs. This is in contravention of FATF R10 and its interpretative notes, which state that at the commencement of a business relationship, banks should:
…understand and obtain information on the purpose and intended nature of the business relationship.
and that in the case of legal persons they should:
…identify and verify the customer and understand the nature of its business. (my underlining.)
This means that, in addition to corporate and UBO identity and expected account activity information, we should at least have an understanding of an SME’s business model, asking, and obtaining answers to questions such as:
– What do you sell? (Goods, services, both?)
– Where do you sell it and to what type of buyers? (home, abroad, B2B, B2C?)
– How do you market and sell it? (premises, online, face-to-face?)
– what’s your pricing model? (Contract, subscription, pay as you go?)
– How do you get paid? (Transfer, card, payment service, cheque, cash?).
– Who runs the business day-to-day and what’s their career background?
-Who’ll be your major suppliers?
Once we have the answers to these questions, we should then be testing the overall picture against information and data from the real world, with a view to answering the Golden Question, namely “How likely is it that this business is performing, or intends to perform, the economic role which it has described for itself?”
Many banks will balk at the feared costs of such an exercise, arguing that this is effectively enhanced due diligence and that the resources required for such an effort are only warranted if PEPs, high risk countries or traditional high-risk businesses such as a CIB’s, DPMS’s, MSEs, etc and others are involved. But that ignores the reality of how launderers will want to avoid such channels. And it also ignores the role which AI can play in performing the necessary tasks– and in seconds, not weeks.
NLP enabled question protocols during onboarding can attempt to elicit information about business models from applicants and raise silent red flags where they detect dissembling or reluctance to provide information. Once this information is obtained, the same engine can conduct “smell tests” using structured and unstructured public data. Depending on the quality of their preparation, fake or semi-fake businesses being used for laundering may possess features which can be exposed with some AI-driven cyber-digging ;
- poorly constructed, overly brief or generalised websites;
- beyond-random similarities between the websites of the company and its stated main intended customers and suppliers;
- common officers and employees;
- the absence of typical marketing activity such as blog posts, articles in trade journals;
- the absence of staff presence on the internet e.g. no staff profiles on LinkedIn or profiles with fake indicia or indicating no experience in the sector;
- a lack of responsiveness to email enquiries presenting potential business opportunities to the company;
- others
We may think of this process as ‘positive screening’ – an automated attempt to determine the likely genuineness of an entity customer. Applicants who “fail” this smell test should be reviewed by (human) KYC analysts and rejected where there’s a serious risk that their actual or expected economic profiles are not genuine.
Financial exclusion and the encouragement of economic growth are important issues. But there is a world of difference between, on the one hand, denying a bank account to, say, an unemployed worker because their account won’t be profitable and, on the other, refusing to provide services to companies which may otherwise be used to help “launder billions through the banking system with a 99% success rate.”
Tim Parkman
Director, Client Delivery
Marker AI is a digital onboarding platform for professional firms which comes with know-how like this built in. Contact us here for a conversation.