Fraud, Fines, and Freedom
7 billion dollars. That's the amount of money large banks, financial institutions, and gaming organizations paid in completely avoidable fines in 2023.
We'll get to the avoidability of these fines, but the numbers are extreme and warrant a browse.
Binance led the pack with a whopping $4.3 billion slash to their bottom line. However, cryptocurrency and new financial mediums weren’t the cause; lack of anti-money laundering and customer due diligence drove these penalties.
Despite finalizing their guilty plea in December of 2022, Danske Bank was promptly ordered to pay an incredible $2 billion fine when the US judge accepted the plea in early January - all for failures in proper AML implementation.
Wells Fargo made the list with a $97 million penalty for violating sanctions.
Deutsche Bank paid the feds $186 million for the slow pace of their AML improvement.
Then we have an amalgam of Australian, Canadian, and British institutions following suit with over $300 million in fines, all for the same cause: processing criminal funds.
And yes, $7 billion in fines is huge, but the true scale of the problem is enormous.
The Trillion Dollar Problem
The recently released 2024 Global Financial Crime report by Nasdaq Verafin estimates that in 2023, the total illicit funds flowing through the global financial system hit 3.1 trillion dollars. Yes, that’s only 2023.
This gave way to about $464.6 billion in losses from bank fraud schemes, which tells us that the fines are only a slice of the liability cake. There’s nowhere to go but up. Knowing all this, it may seem ridiculous to the untrained eye that banks don’t follow these regulations. But, of course, that’s not the whole story.
If you’re a compliance officer, risk manager, or AML analyst, you know your organization spends more than considerable resources on these issues. AML, KYC, and CDD solutions (and processes) are implemented across the entire sector - so why are banks still facing fines?
It’s a simple answer but a complex problem: It’s 2024.
New technology is being invented every day, but banks (for the most part) are old. As the gap between technology and business processes widens, security spending is desperately trying to catch up - and we can see it in real-time.
A Gartner Report forecasted that Global Security Spending will total $215 billion for 2024, a 14.3% increase from last year, with notable increases in Identity Access Management and Data Privacy.
This investment directly addresses the non-compliance fines and game of technology-catch-up we’re talking about, but… there’s a problem. The numbers were large last year as well. They’ve only been growing.
IT spending, specifically in banking, was estimated to be $652 billion, and with security at the forefront, the question still stands.
If we’re addressing the pace of technology and the sophistication of new threats with larger security budgets, once again, why is there seemingly no progress?
Well, it may not be a question of “How much money do we spend?” but more of a “Where do we spend it?” problem.
But the “Where?” should also be straightforward, shouldn’t it?
Isn’t the answer “Compliance?”
The Analog Solution (and why it doesn’t work anymore)
Compliance requirements and regulations are long.
The required reporting, unending changes, and countless regulatory watchdogs make it complicated at best. But, when discussing our solution to this trillion-dollar problem, we’ll concentrate on the one piece of legislation that matters the most: The Bank Secrecy Act of 1970 (BSA).
The BSA has many amendments, too many to cover here. However, we've broken down nine of them along with their AML requirements before; in short, the BSA is considered the major ‘compliance rulebook’ for financial institutions.
Being law, the BSA does have a handler: The Financial Crimes Enforcement Network (FinCEN).
FinCEN is the primary body that sets out guidelines and changes to the BSA and, as its name suggests, enforces it as well. These regulatory changes build on past requirements. Some are specific, others are vague, all need to be interpreted, and that’s a job for compliance teams.
Compliance departments are created to ensure that banks follow these regulations. The job isn’t simple. Their task is constantly and meticulously interpreting regulations to avoid a repeat of 2023: billions in fines, even more in fraud losses, and a corrosion of consumer trust.
Some specific AML requirements are:
Flagging and reporting cash deposits over $10,000 a day (Currency Transaction Reporting).
Creating a framework to identify transactions related to money laundering and reporting when they’re over $5,000 (Suspicious Activity Reporting).
Recording international transfers exceeding $3,000 and the sender and recipient details.
Recording US customers that exceed thresholds in foreign financial accounts.
In addition, creating policies and procedures for adverse media, PEP screening, and cross-referencing sanctions with watchlist data are all a part of the requirements - this is more vague.
Enter Technology (or a lack thereof)
We all know our banks aren’t using pen and paper.
For banks to operate their business (sometimes spanning multiple cities, states, or countries), they need a way to keep track of and manage accounts, customers, interest calculations, loans, and, most importantly, deposits and withdrawals.
To keep track of all of this in real-time (for countless customers), banks use something called a Core Banking System (CBS) - which is essentially a specialized ERP/CRM system.
In managing these transactions, these massive and complex systems have compliance modules - and this is where our compliance teams start addressing all these rules set out in the BSA.
As we said earlier, the answer to preventing fraud is simple, but the problem is complex - it’s 2024, but the most popular Core Banking Systems are old.
SAP for Banking was released in the 1990s
Infosys FINACLE in 2000
Temenos T24 in 2003
These systems are widely used by some of the largest banks in the world, and of course, they’re updated often enough, but being multifaceted systems, their primary purpose isn’t stopping fraud.
CBSs provides basic transaction monitoring, like setting limits to flag the dollar amounts and deposit frequencies mentioned earlier. Their Anti-Money Laundering is worse. It only has limited reach when performing critical tasks like watchlist screening.
These systems fall over when criminals:
Start depositing under threshold limits.
Use sophisticated or erratic deposit patterns.
Hide their money with fake business activities.
Leverage AI to tamper with ID or doctor documents.
This is why the fight against money laundering, fraud, and other criminal activity is tedious and expensive.
However, these goliath banking systems do allow for integrations; in fact, they rely on them. But, if you’ve worked in a large organization with legacy software before, you know that integration isn’t just a pain; it's the pain.
Legacy banking systems rely on legacy AML solutions delivered by legacy providers, all culminating in the enormous fraud losses we’ve been discussing.
Remember Danske Bank and their 2 billion dollar fine? A part of their settlement was upgrading their AML procedures, a 2018 to 2022 project spanning $1.2 billion. This price tag could have been much smaller and much more incremental without the additional fine for AML system failures.
Legacy AML and fraud prevention solutions are:
Difficult to integrate and rely on many ‘band-aid’ solutions to emerging problems.
Automation-deficient, requiring unnecessary manual intervention.
Severely lack the capability to mitigate against new threats.
Have siloed data leading to false positives in flagging threats.
Expensive over the long run as the CBS of choice becomes more entrenched with legacy workflows.
And the use of these old AML systems is rampant - much like the criminal activity they fail to curb.
Banks are left with two solutions:
Overhauling their Core Banking System to a more modern system with better capacity to integrate AML solutions (expensive and time-consuming), or, more realistically,
Changing their AML and fraud detection provider by partnering with fintechs and emerging contenders in the space.
Gartner has published case studies on how some banks assess the question of partnering with, buying COTS products of, or customizing solutions provided by fintechs - it all comes down to flexibility and ease of integration.
So we’ve hit bedrock.
Criminal activity is inevitable, but the cause of fines and fraud losses is a lacking response to that unavoidable activity; in other words, the cause is using legacy AML. In saying this, we now better understand the solution: adopting a flexible, modern, and easily integrated fraud prevention solution.
The Fix: Integrating Modern Fraud Detection
The simple compliance rules and cash thresholds of legacy AML solutions are no longer enough.
AI-powered criminal activity is now taking center stage. Synthetic fraud, i.e., the use of PII to fabricate a person, is on the rise at 38% year-over-year (YoY), targeting U.S. auto loans, bank credit cards, retail credit cards, and unsecured personal loans.
In 2024, it’s estimated that over 95% of US citizens will be banked, meaning the top banks will serve tens of millions of customers with multiple accounts (all carrying individual risk).
With more regulations, sophisticated technological threats, and a wider risk surface (that comes with millions of customers), it’s now a prerequisite for banks to use modern identity verification and fraud detection to avoid losses.
Fraud detection solutions need to go beyond flagging the basics; they need to:
Automate the creation and decision-making for risk profiles based on risk tolerance.
Access global authoritative sources while being sophisticated and targeted in risk scoring.
Ensure customer due diligence requirements are met.
Pre-validating entered data (which also reduces drop-off during account opening).
Biometric scanning and facial matching.
Detecting fake or doctored IDs with AI-powered authenticity checks.
Sequence identity checks across multiple authoritative data sources while remaining cost-effective.
Scan and flag high-risk individuals across global watchlists and sanction lists.
Check for adverse media presence and flag politically exposed persons.
Remain flexible and integrate seamlessly with systems already in use.
All while ensuring the customer experience remains frictionless, match rates are maximized, false positives are minimized, and legitimate new account holders aren’t sacrificed for security.
The providers that have demonstrated these advances in their capabilities, that can handle all touch points across CDD, KYC, and AML, and, of course, seamlessly integrate with leading Core Banking Systems: those are the solutions banks must adopt.
It’s pivotal that compliance teams identify providers that can deliver these capabilities and ask the right questions when considering options.
Data Zoo’s Identity-Proofing Buyers Guide Questionnaire is a great starting point in ensuring customer due diligence is on par or beyond industry standards when evaluating fintech partners.
Another point to consider is whether their compliance certifications provide an extra layer of security when it comes to data handling.
After confirming these modern capabilities are available and industry certifications are present, banks will be in one of the most advantageous positions for fraud prevention as well as AML and regulatory compliance as a whole.