Definition Of Financial Crime

• In the UK, the Financial Conduct Authority’s (FCA) Handbook defines financial crime as – any kind of criminal conduct relating to money or to financial services or markets, including any offence involving –

• fraud or dishonesty; or
• misconduct in, or misuse of information relating to, a financial market; or
• handling the proceeds of crime; or
• the financing of terrorism.

• Hence, financial crime includes internal and external fraud (a and b), as well as money laundering (c) and terrorism financing (d). These fall under the operational risk category of “Clients products and business practices” (CPBP) and are considered a breach for any organization involved in handling proceeds of crime or funding terrorism.

Definition Of Internal Fraud

• BCBS defines internal fraud as follows – losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one internal party.
• Internal fraud has been discussed as an operational risk type, including two subcategories –
  • Unauthorized activities – These involve intentional violation of laws or internal policies by an employee, and may not necessarily result in financial loss for the firm. Examples of unauthorized activities include intentional non-reporting of transactions, mismarking of trading positions, or execution of unauthorized transactions. Other examples are sharing passwords, disclosing confidential information, or mis-selling financial products to vulnerable clients. Nowadays, unauthorized activities are commonly referred to as misconduct, as stated by the FCA in point b of its definition.
  • Theft and fraud – These involve misappropriation of assets, including extortion, embezzlement, malicious destruction of assets, bribery, and tax evasion.

Definition Of External Fraud

• BCBS defines external fraud as follows – losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party.
• External fraud is defined similarly to internal fraud, but committed by a third party without the subcategory of unauthorized activity. The Basel committee defines another subcategory of external fraud as “systems security”, which involves hacking damage and theft of information. With the increasing digitization of financial services, this category has become prominent. Cyber and information risk management, also known as information security risk management (ISR), has become a specialized branch of operational risk management in the last decade.
• The COVID-19 pandemic has increased the risk of fraud for financial institutions. According to recent studies by the American Bankers Association (ABA), fraud attempts have tripled in 2021 since the lockdown in March 2020. With many employees working from home, wire transfer and email scams have seen a significant increase, and phishing emails have multiplied 6 to 7 times over the first year of the pandemic.

Anti Money Laundering (AML) And Terrorism Financing (TF)

• The European Directive of 20 May 2015 updates the prevention of financial system use for money laundering and terrorist financing. It applies to financial institutions and other professions at risk. It defines money laundering and terrorism financing in article 1. Regulators identify money laundering activities as follows –
  • converting or transferring property from criminal activity to conceal its origin or assist others in evading legal consequences,
  • disguising or concealing the nature, source, or ownership of criminal property,
  • acquiring, possessing, or using property from criminal activity, and
  • participating in or aiding any of the above actions.
• The IMF defines terrorism financing as the act of providing or collecting funds, either directly or indirectly, with the intention or knowledge that they will be used, in part or in full, to carry out any activity deemed a terrorist offense by the authorities.
• National lawmakers and regulators must prohibit money laundering and terrorism financing. UK regulatory guidelines state that banks without effective AML and CTF controls risk regulatory fines, business restrictions, and prosecution if found holding proceeds of crime.

Internal Fraud Management

• Historically, banks’ internal audit departments were responsible for managing internal and external fraud, and some banks like ING had a subdivision called “inspection” dedicated to detecting, monitoring, and reporting fraud. Forensic specialists and former police officers often work in the fraud risk management department of financial institutions. While most firms state in their risk appetite statements that they have “zero tolerance” for internal fraud, this means that every perpetrator caught will be punished rather than suggesting the risk cannot occur.
• The fraud risk management framework comprises four components –
  1. Selection involves screening employees, contractors, and third parties for alignment with the organization’s values and ethical standards. This step also sets the tone from the top and the organization’s culture, making people management easier. Selection and profiling are key risk-mitigation mechanisms in AML and third-party risk management.
  2. Prevention involves key controls for fraud prevention, such as clearly defining the rights, authority, and access of each function. This step is essential to fraud risk management.
  3. Detection of fraud quickly is critical to limit its impact. Detective controls are important in internal fraud management and act as a deterrent by reducing the incentives to commit fraud. Team supervision and monitoring are effective ways to limit internal fraud, and managers should be alert to detect signs of suspicious behavior that may indicate the risk of fraud.
  4. Deterrents are announced sanctions and actions following fraud, acting as disincentives for employees to commit fraud.

External Fraud Management

• External fraud management shares similar components as internal fraud management, but with a focus on external bad actors, including professional criminals, customers, and business partners.
• External fraud includes bank robbery, check kiting, wire transfer fraud, credit card fraud, identity theft, and misrepresentation of income and assets in loan applications. It can be categorized as “first-party” or “third-party” fraud depending on whether the fraud is committed by the customer or business partner for their own benefit or by an external actor who may impact both the customer and the bank.
• External fraud requires specialized teams to manage the various types of fraud and actors involved. For instance, a bank’s physical structures, including ATMs, are monitored and secured by company security to prevent robbery, and they collaborate with local law enforcement in case of incidents. Retail banks often have teams dedicated to deposit/check fraud and credit/debit card fraud, working with specialized law enforcement to discover and catch perpetrators.

AML Risk Management

• Typically, criminals use multiple phases to make the proceeds of their criminal activity appear legitimate. The money laundering process includes three phases –
  1. 1)  The placement phase involves various techniques to conceal the origin of the funds, such as transferring cash to businesses, using false invoices, utilizing trusts and offshore companies, smurfing, and utilizing foreign bank accounts.
  2. 2)  Layering involves using a combination of placement and extraction strategies with varying amounts and patterns to make it difficult to track transactions and bypass anti-money laundering controls.
  3. 3)  The final stage of integration or extraction involves withdrawing the money for use without attracting attention from law enforcement or tax authorities, often through means such as fake payments to employees, fake loans, or dividends to accomplices.
• A diagram is presented in the next page that outlines the essential risk mitigation measures for AML risk in financial institutions and banks. This diagram mirrors the structure presented for internal fraud, emphasizing the similarity in risk management strategies used for different types of fraud risks.

• The first and most important step in AML controls is customer profiling and selection, including the verification of identity documents and the origins of funds. This is known as KYC (know-your-customer). Regulators and industry guidance recommend a risk-based approach to AML risk, with customers categorized as low, medium, or high risk based on factors such as country of operation, industry, and transaction history. Monitoring criteria include PEP lists, transaction volume and type, and documentation supporting the origins of funds.
• AML governance is crucial, with a dedicated MLRO (money laundering risk officer) and written policies, employee training, and regular reviews to keep customer data and monitoring systems current.
• RegTech companies using data analytics have become popular for AML compliance services in recent years. They use machine learning to automate customer profiling, due diligence, and identity validation. Machine learning can detect anomalies in customer behavior and help raise alerts early. Automated AML checks can also verify if customers are sanctioned or politically exposed persons (PEPs). Digital challenger banks in the UK use AI-based controls, but their quality is under regulatory scrutiny. The US Treasury Department’s Office of Foreign Assets Control (OFAC) maintains a sanction list of individuals and companies, and every company doing business in the US must ensure their clients are not on the list.

Case Study (USAA) And Lessons

• USAA FSB was fined $140 million by FinCEN and the OCC in March 2022 for willfully failing to implement and maintain a BSA/AML compliance program from January 2016 to April 2021. Deficiencies included inadequate internal controls and risk management practices, suspicious activity identification, evaluation, and reporting, staffing, training, and third-party risk management.
• The bank’s BSA/AML compliance department was also significantly understaffed. This is a common practice in banking during AML remediation programs, where institutions face large spikes in workload and tight deadlines. However, regulators found that the bank failed to properly train or ensure that contractors had satisfactory qualifications and expertise, making the problem worse.
• The new transaction monitoring system implemented in 2021 was too sensitive and created an unmanageable number of alerts and cases. These backlogs led to unreasonable delays in the detection and reporting of potentially suspicious activity.
• This case highlights a crucial lesson that regulatory findings should not be ignored, as heavy fines result from accumulated failings and procrastination in implementing necessary changes to meet regulatory requirements. Implementing changes can be difficult and uncomfortable, leading most firms to postpone them until the last minute. However, this delay can be too late, as in the case of USAA.
• The fines imposed on USAA were due to a lack of control over AML risk, not because of demonstrated AML cases. It should be noted that weak AML control environments can lead to fines by regulators, not just in the US but also in the EU, UK, and Asia, where banks have been fined heavily for failing to demonstrate the proper design and operation of their AML controls. For example, in 2020, authorities in the Asia-Pacific region issued fines totaling $5.1 billion for AML law breaches and related misconduct, representing a seven-fold increase from the previous year.
• Regulatory findings and sanctions lead to costly AML remediation programs, also known as lookbacks, where banks must review client files, verify information, file suspicious activity reports, and potentially close suspicious accounts.

Challenges

• In AML, technology and automation of detection and alerts are beneficial, but the model’s proper parametrization and a feedback loop on false positives and negatives are crucial for improvement. Without tracking these factors and the evolving nature of financial crime, financial institutions may fall behind in their legal requirements to limit criminal or terrorist access to the financial system.
• The COVID-19 pandemic has also made it challenging to identify anomalies due to changes in customer and business behavior, such as a rise in remote transactions.
• AML and fraud risk management are continuously evolving in response to changing fraud patterns and tactics, making it challenging for banks and other financial institutions to adapt their control framework to evolving threats.