AML Isn't Working
We need to rethink AML for the new economy.
Dateline: Woking, 25th January 2022.
I remember thinking about the whole Customer Due Diligence (CDD) thing last year because of a tweet from the noted investor Paul Graham in which he asked, quite reasonably :
What is the ratio between trouble caused for the innocent to trouble caused for the guilty by KYC regulation?
That's a good point, and while I don't know what the answer is, I do know that a study published last year by financial-crime expert Ronald Pol concluded that the global AML system could be "the world's least effective policy experiment" and that compliance costs for banks and other businesses could be more than 100 times higher than the amount of laundered loot seized.
(That may seem astounding, but it is correct. The UN estimates for the seizure of criminal assets globally are in the region of $1.5 billon while the Lexis-Nexis estimate for the global costs of AML compliance are in the region of $180 billion.)
This is an unsustainable dynamic and not only because of the costs. Lisa Moyle summed up the unsatisfactory nature of CDD a while back, writing that the current rules are neither effectively preventing nor capturing crime. Instead, she says, they risk making financial institutions so overly cautious that they only serve to exacerbate the problems of the marginalised and excluded as well as creating barriers for honest customers.
Lisa is spot on and to her comments I would add those of Rob Wainwright, when Director of Europol, who said that "professional money launderers are running billions of illegal drug and other criminal profits through the banking system with a 99 percent success rate".
In summary then, we are only intercepting a miserable one percent of the dirty money. The costs that the regime impose on the finance sector are staggering. Yet these enormous costs achieve next to nothing.
Now, this is not to say that the money is totally wasted, because undoubtedly some serious crimes are detected or deterred because of the regime. While we would all agree that we need more effective action against serious and organised crime, it is not at all clear that the money spent on AML is worth it. In fact, the global Money Laundering/Terrorist Financing (ML/TF) regime is, according to the Journal of Financial Crime 25(2), "almost completely ineffective in disrupting illicit finances and serious crime".
Bad To Worse
Not only does the regime we have now do little to hamper terrorists, money launderers, drug dealers, corrupt politicians or mafia treasurers, it does massively inconvenience law-abiding citizens going about their daily business. According to an interesting paper in the Journal of Money Laundering Control 17(3), the Financial Action Task Force (FATF) identification principles, guidance and practices have resulted in "largely bureaucratic" processes that do not ensure that identity fraud is effectively prevented. Were strict identification requirements to be imposed everywhere and in all circumstances, though, there would be an even more negative impact on financial inclusion because of the barriers that Lisa referred to. How would this factor in cost-benefit analysis?
(The issue of cost-benefit analysis is an important one, but I don't want to get side-tracked here. Suffice to note that I saw a presentation from Michael Mainelli a decade back when he reported on a City of London study on the cost-benefit of AML, noting that in common with other similar studies that it was unable to find any benefits at all, only costs, and to the best of my knowledge nothing has changed since then.)
Surely it's time for a rethink, starting with the fact that we now live in a world of data science, machine learning and artificial intelligence (AI) and the impossibility of doing anything about the cost-benefit situation around regulation and compliance without machine brains to help us. This line of AI-centric thinking can be more disruptive than might seem at first glance because it suggests an alternative vision of regulation where we do away with a lot of the expensive barriers to entry to the financial system, those pot holes for criminals but chasms for legitimate users and instead use machine brains to police what is happening inside the system.
(There are other negative impacts from the current "high walls" approach. I remember a discussion with the then-Treasury minister Andrea Leadsom at TechUK back in 2015, during which she noted that CDD is itself a friction against a more competitive financial services sector because it serves to create a moat around the larger incumbents.)
The Solution Makes The Problem Worse
The point about AML solutions making the problems worse reminds me of the case of Faruk Fatih Özer, founder of the now-defunct Turkish crypto exchange Thodex, who vanished last year along with $2 billion in cryptocurrencies from the exchange, had fled not only with customers' cryptocurrencies, but also with their identities. As David Gerard so eloquently phrased it, Özer paid the most "painstaking attention" to money-laundering compliance and was therefore able to take detailed Know-Your-Customer (KYC) data for hundreds of thousands of users with him. This data included scans of the customers' national ID cards, once again proving that digitising identity is no substitute for digital identity.
Now, of course, the reason why Mr. Özer had such a treasure trove of customers' personally identifiable information (PII) was because regulators had forced him to obtain it. So maybe it should be up to the regulators to fix the problem! But what are they going to do? What will happen to all of the people whose identities were stolen in this way? Are they all going to be given new identities in a vast national witness protection programme while their old identities are cancelled? Will the authorities give everyone a new name and a new number, cancel their old ID cards and send them new ones?
Well, of course not. Insane CDD demands continually force us to hand over our sensitive personal information to every Tom, Dick and Faruk on the internet while doing nothing to help us when our personal information is inevitably compromised as it must be when it’s sprayed around the web at the behest of regulators.
Me: hello crypto exchange, I'd like to open an account. Exchange: ok, please log in to your bank. Bank. Hello Dave, someone wants to know who you are. Can I tell them? Me: yes, but don't give them any personal information. Bank: ok exchange, here is an unforgeable cryptographic message that contains unique ID for this customer 1H3XBZQ29J to confirm that they are a real person that we have already performed due diligence on, they are over 18 and they are resident in this country. Exchange: cool, here's $5 for you bank and hey welcome on board 1H3XBZQ29J.
Now, no-one at the exchange knows who 1H3XBZQ29J is so when the exchange gets hacked, as is generally the case, or is the subject of a massive fraud by employees, your personal information is not comprised. Simple. Now, if transaction analysis shows that 1H3XBZQ29J is sending vast sums of money to some shady businessman or a corrupt politician, then law enforcement officers can apply to a judge for a warrant, take it to the bank and say "hey, who is 1H3XBZQ29J" and the bank will tell them "it's Dave Birch".
We have to recognise these legitimate needs for law enforcement, but we can do this while protecting privacy. The US Office of Foreign Assets Control (OFAC), which carries out economics- and trade-based sanctions is currently out shopping for tools for tracking virtual currency transactions, such as those involving Bitcoin, to help to build cases against individuals, entities or organisations that might appear on the “Specially Designated Nationals List” and I don’t see why that couldn’t be extended to include a “Specially Designated Cryptography Key List” so that law enforcement officers could tell an exchange “sorry but 1H3XBZQ29J is on the sanctions list, so you can't do business with them any more”.
The key point here is that national security, law enforcement and the world of commerce have not been compromised because the exchange does not know who 1H3XBZQ29J is. There is no reason for the exchange to know who I am, so long as they know that someone knows who I am. A regulated financial institution knows who 1H3XBZQ29J is and that's good enough.
Frankly, using names as identifiers for the purposes of due diligence seems pretty pointless anyway. Anyone can change their name to anything, because names are attributes not identifiers. In the UK for example, hundreds of convicted sex offenders have paid £15 to change their names by deed poll so that they don't show up on searches of criminal registers. This only goes to reinforce my prejudice that there's no earthly reason to store a person's name in registers. The register should be a place to store the things that are unique, that uniquely identify you: your biometrics, for example, or some unique cryptographic key that has been previously authenticated by you. Your name should be treated as nothing more than a mildly interesting attribute: it does not identify you in any way.
Let The Wrong One In
I’d like to bang the drum for the idea that instead of trying to prevent criminals for getting in to the system, we instead let them in and monitor what they are up to. If we force them to continue using cash, then we have no idea what they are up to! Whereas if we can persuade them to use electronic transactions of some kind, particularly those that leave an immutable record of criminality, then we would actually be better off! Since cash cannot be tracked around the economy, we (society) have put in place a whole bunch of complicated and expensive rules about accounting for cash when it enters the financial system. But suppose there wasn't any cash. Suppose there was only Bitcoin. In that case, as I pointed out some time ago, you wouldn't need anti-money laundering (AML) regulations at all because you would be able to follow every coin around the blockchain!
Many observers, and Bitcoin fans in particular, say that this is nonsense because there are a variety of ways to jumble up and otherwise obfuscate the sources of value in transactions on the Bitcoin network. I never saw this as a realistic barrier to criminals though, and I noted that a simple rule that required banks to investigate any coins that had originated in anonymous wallets (or mixers) would be sufficient to stop the large-scale use. Also, you will remember that U.S. Department of Justice (DoJ) has already shown its intentions. You will remember they indicted Larry Harmon for creating the Bitcoin mixer "Helix" (in addition, Fincen fined him $60m last year) and have just arrested Roman Sterlingov, the alleged operator of Bitcoin Fog, a custodial bitcoin mixer that it says processed over 1.2 million BTC.
To recap then. We erect (expensive) KYC barriers forcing people to give their personal information to crooks and then compel institutions to conduct (astonishingly expensive) AML operations, using computers and laser beams to emulate handwritten index cards and suspicious transaction reports (STRs). But as I have suggested before, suppose that KYC barriers were a lot lower so that more transactions entered the financial system. And suppose the transaction data was fed, perhaps in a pseudonymised form, either to a central AML factory or through a federated service operated by financial institutions, where AI and big data, formed the front line rather than the (duplicated) ranks of foot soldiers in every institution.
With this approach, the more data fed in then the more effective the factory would be at learning and spotting the bad boys at work. Network analysis, pattern analysis and other techniques would be very effective because of analysis of transactions occurring over time and involving a set of (not obviously) related real-world entities.
The benefits to the wider economy are obvious - more access to financial services as well as more interdiction of actual money launderers, terrorists, corrupt politicians and tax evaders. I think we need to plan for this new form of CDD for the digital age. We all know that COVID-19 is accelerating the evolution of digital onboarding, and that's great. But we need to move to the next level: digital KYC and digital AML. I call this Digital Due Diligence (DDD) and now that we live in a world where digital identity is becoming a thing (both for people and for organisations) it's time to plan for a faster, more cost-effective and more transparent approach that is based on the world we are actually living in.
You Can Get There From Here
How do we shift from CDD to DDD? It is interesting to reflect on what mechanisms there might be available to institutions to take some of that cost and use it to obtain organisational benefits, part of what I've taken to calling the Digital Due Diligence (DDD) replacement for the current analogue/digital mishmash of Customer Due Diligence (CDD).
The good people at Banking Circle published a white paper about this in May. The paper "Better By Design? Rethinking AML for a Digital Age" looked at a variety of means to make AML not only more efficient but also an element of competitive strategy for financial institutions. I strongly agree with what their CEO, Anders la Cour, writes in his introduction: "Indeed, far from being a burden, the right approach to AML can be an enabler - driving efficiencies and leaner processes, and in turn helping to create the mindset for urgent digital transformation initiatives". What I think this means in practice is a focus on collecting vastly more data to support decisions and using artificial intelligence and machine learning to make sense of that data, technologies and activities that have wider benefits to an organisation if not confined to compliance.
That's a good point, and it is an interesting report for many reasons, but what really stood out to me was a comment from Professor Brigitte Unger, Chair in Public Sector Economics at Utrecht University and the principal author of the European Parliament's report on money laundering. Prof. Unger echoed the criticisms set out at the beginning of this article, arguing that previous policy approaches to AML cannot prove that they have had any positive effect. Not "some" positive effect or a "limited" positive effect but "any" positive effect at all. Any. She says that there is "no solid evidence that these approaches have achieved anything", going on to observe that "AML regulation has a big legitimacy problem. Regulators and politicians must do more to prove their effectiveness."
The Economist says that these numbers tell of a war "being lost", referring to a report from John Cusack, an ex-chair of the Wolfsberg Group, an association of banks that helps develop AML standards. The report estimates that there was some six trillion dollars of financial crime perpetrated in 2018, almost 7% of global GDP, and while statistics on how much is intercepted by authorities are patchy, a decade-old estimate by the United Nations Office on Drugs and Crime put it at just 0.2% of the total. I'd be surprised if it is that high.
It isn't only financial institutions being forced to shell out because the EU’s sixth anti-money laundering directive (6AMLD) expands on the number of crimes that are categorised as money laundering. It attempts, in particular, to target the use of property transactions to facilitate money laundering and "aiding and abetting, inciting and attempting" now falls under the money laundering bracket and enforces the same criminal punishment as money laundering.
Is it really worth spending all of that money in order to recover so little (i.e. zero to all intents and purposes) when the money could be spent on developing new products and services to improve the overall financial health of the nation? I think not, which is why Anders' comments caught my eye. Making the new technologies part of a digital transformation strategy that delivers more cost-effective compliance almost as a byproduct, rather than as a compliance function with no return on investment beyond reduced fines from regulators, has to be a better way forward.
Right now, I am hearing estimates that British banks are trying to shed something like a quarter of their compliance staff and boost their IT spending to cover for them. Perhaps this is a real opportunity for new thinking around new technology and a way forward to actually do something about crime.
UKplc as a jurisdiction should rethink compliance for competitive advantage. As part of a post-Brexit project to boost British invisibles, we should take jurisdictional competition seriously and create a compliance regime built on this new technology rather than an industrial age mishmash of shaky identification documentation and millions of false positive suspicious transaction reports.
More specifically, we need to begin this new compliance regime by creating a digital identity infrastructure fit for the 21st century, which means digital identity not only for people but also for companies. The government’s digital identity framework is, in principal, the right way forward but it needs more concerted action by the government and the industry to get the change that we need.