The computer systems banks use to sniff out credit card fraud are vastly different from the ones they use to detect money laundering. Given the relative seriousness of the crimes, which technology is more sophisticated might come as a surprise.
While banks have learned to tackle consumer fraud with increasingly sophisticated technology that deploys complex behavior and pattern analysis, among a host of other tools, the same cannot be said for money laundering. When it comes to corporate risk, anti-money laundering software platforms are stuck, comparatively speaking, in the Stone Age: The technology used is backward-looking and rules-based, dependent on static items like criminal watch lists or country blacklists.
Estimates place the amount of money laundered annually at $3 trillion, about the same size as the entire U.S. budget, and enforcement actions are on the rise. The cost of a breakdown can be dire, as HSBC Holdings PLC's recent experience shows. It may be hit with a fine of as much as $1 billion. In November, the London-based bank revealed in its Securities and Exchange Commission filings that
HSBC said the investigation pertained to its bank note and dollar clearing services as well as compliance issues with the Office of Foreign Asset Control, and a lack of adherence by some customers to U.S. tax reporting requirements. News stories have reported the problems may have been related to
A new regulatory focus on stripping has caused many banks to take a harder look at the systems they've developed to combat the problem, most of which have been home-grown and are outdated, experts said. Vendors have recently developed software that can help banks identify and prevent stripping. The software essentially sends up alerts when it detects missing information in the pertinent fields. But it's costly, potentially running into the millions of dollars for large banks. While that may not sound like a lot for a bank of HSBC's scale, it's an additional expense that most banks have delayed making.
The more complex ways people bank today have added to the difficulty of detecting trouble. Electronic banking, ACH transfers and always-on consumer connections have greatly increased the volume and velocity of money flows, giving launderers more opportunities to ply their trade.
Still,
"When it comes to AML compliance, the regulations may be written in black and white, but their application is pretty gray, and it is in these gray areas that banks find themselves with lots of challenges," Dennis Lormel, founder and principal of DML Associates, in Lansdowne, Va., says.
HSBC, which declined an interview request through a spokesman, has plenty of company in the regulatory penalty box. Barclays PLC, paid nearly $300 million for facilitating or concealing wire transfers to blacklisted countries in 2010. The same year, The Royal Bank of Scotland Group PLC booked a half-billion dollar fine for similar malfeasance, and Wachovia Corp., now part of Wells Fargo & Co., paid $160 million for failing to conduct adequate due diligence and adequately monitor remote deposit capture and wire activity. (A year earlier, Credit Suisse Group AG was fined more than $500 million for concealing wire transfers to blacklisted countries.)
"The magnitude of the violations weren't fully understood by these local offices — they viewed the AML procedures as an obstacle to revenue, and they were devising means to evade the rules and generate revenues for the business," Julie Conroy McNelley, a senior analyst for Aite Group LLC, says.
Though HSBC may be hit with the biggest fine yet, AML breakdowns carry a lower reputational cost than credit card data breaches. While mistakes affecting retail customers can cause widespread embarrassment for the brand, money laundering crimes are usually a specialty item in the business pages.
"The AML organizational incentive in banks is to keep the regulators happy, and keep the bank from being fined," McNelley says.
Simultaneously, technology firms are often indirectly penalized for creating new or innovative software that could actually help fight money laundering.
"It is challenging to be the early adopter because you will get additional questions of how it works and have regulators camped out at institutions," McNelley says.
Most of the top security vendors for retail banks also supply anti-money laundering products and services, and they are in the process of updating their offerings.
Many vendors say that ideas from consumer fraud departments have started to cross-pollinate with anti-money laundering suites.
So, ultimately software platforms will combine capabilities like real-time anomaly detection, behavioral modeling, and activity alerts that can merge watch list filtering, currency transaction reporting and suspicious activity reports, to get a more comprehensive picture of potential money laundering activity.
SAS Institute Inc., of Cary, N.C., for example recently announced the latest version of its anti-money laundering suite, called SAS Anti-Money Laundering, which includes predictive analysis, a staple of real-time consumer fraud fighting technology.
SAS's platform creates a "customer signature" of account behavior to which it adds proprietary algorithms that it claims can predict money laundering activity.
"The biggest problem is that many mid- to large-sized banks have such a volume of transaction and activities, that trying to detect money laundering is like finding a needle in a stack of needles from the haystack," David Stewart, director of financial crimes and compliance for SAS, says.
In other words, good AML controls will flag far more transactions than just the illegal ones. That means that banks must make cost-benefit decisions about which potential consumer fraud they will pursue and which they won't.
Still, banks are finding new technology indispensable to fight money laundering.
Ridgewood Savings Bank, of New York, a $4.7 billion asset bank, says it generates about 25 suspicious activity reports each day. With the help of anti-money laundering software from Attus Technologies and Wolters Kluwer, it makes continuous determinations.
"For the most part the activity is weighted, so if something occurs today, then we might not look at it," says Lisa Funaro, a compliance officer for Ridgewood. However, continuing activity on the same account would get a higher risk ranking and flagged for a closer look by money laundering personnel later on.
All parties are drowning in data, The U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) received 14.8 million currency transaction reports (CTRs) in its fiscal year 2011, which ends September 30. Similarly it received 1.4 million suspicious activity reports (SARs) in 2011.
In the past five years the information has been analyzed at the 100 SARS activity sites linked to U.S. attorney districts nationwide. FinCEN is also more than halfway through modernizing systems to more effectively churn through the volumes of SARs submitted by banks, says Steve Hudak, a FinCEN spokesman.
"There used to be the commonly held argument that this information went into a black hole and was not looked at, and this is completely untrue," he says.
But money laundering is a moving target. As criminals become more sophisticated, they have learned how to avoid triggering reports, for example by transacting below the $10,000 cash threshold which automatically generates a CTR. New systems must also look at things like repeated cash advances below that threshold, which might indicate criminal activity.
NICE Actimize, of New York, which provides anti-fraud products and services that banks use to combat fraud against consumers, has created a technology that applies behavioral analysis to money laundering as well.
Its system might examine long-term patterns of credit card or ATM use, as well as withdrawals and repayments to different accounts, and compare that activity to suspicious activity reports to look for correlations.
"AML solutions have historically been driven on a batch basis, and as we move forward all banking systems are moving toward real-time data delivery, and will start to look at those decisions in real time," says Tony Wicks, director of anti-money laundering solutions for NICE.
The problem with that, Wicks says, is that, just as in the retail banking world, it creates the potential for more false positives.
In the end, it also will be necessary to bolster compliance departments and have strong compliance protocols in place, experts say. That includes adding more trained staff who can look at the exception reports carefully, before making decisions.
Bank business relationship managers are often conflicted, as they don't want to terminate lucrative relationships based on unfounded suspicions, says Frances McLeod, partner at Forensic Risk Alliance, in Providence, R.I.
"So the question becomes what else do I know about the entity involved in this transaction, and can I reach out the branch where there is relationship to see if there is more digging that can be done," McLeod says.
While adding more employees for compliance purposes may be a very tough sell in these days of massively restrained IT budgets, it's necessary.
"We have gone from being bankers looking at activity to investigating the reasons for the activity, and not only trying to determine the reasons for the activity, but also trying to determine what the outcome will be," Funaro of Ridgewood Savings says.