Transcription:
Penny Crosman (00:03):
Welcome to the American Banker Podcast. I'm Penny Crossman. For some large banks compliance with anti-money laundering rules has been an epic fail. TD Bank, Bank of America and Wells Fargo are among the banks that have been cited recently for AML violations. All the big banks have software that's designed to catch money laundering and people who are trained to investigate transactions for signs of money laundering. So why does this keep happening? Our guest today, Aaron Ansari, oversaw anti-money laundering efforts at a large U.S. bank and a prior job. Today, he's an independent consultant. He has an insider view of what goes wrong and what might be done to fix it. Welcome, Arian.
Aaron Ansari (00:44):
Pleasure to be here. Thank you, Penny.
Penny Crosman (00:46):
So in October, TD Bank pled guilty and agreed to pay more than $1.8 billion in penalties to resolve the Justice Department's investigation into its violations of the BSA Act and money laundering rules. "Every bank compliance official in America should be reviewing today's charges as a key study of what not to do," Deputy Attorney General Lisa Monaco said when the charges were announced, Merrick Garland said, "By making its services convenient for criminals, TD Bank became one. TD Bank chose profits over compliance with the law, a decision that is now costing the bank billions of dollars in penalties." So not to pick on TD Bank, but it has had one of the biggest cases in recent history. So one problem in TD's case is that criminals were apparently bribing employees to help them launder money. The operators of one money laundering network that processed more than $470 million through the bank gave employees gift cards worth more than $57,000 to ensure they would continue to process their transactions. Aaron, what might a bank do to discourage employees from taking bribes like this? Is there an element of if you pay people better and treat them well, they're less likely to be lured into this kind of complicitness or is that naive?
Aaron Ansari (02:08):
Certainly that's an element of any business. Having a culture where the employees are happy and treated well obviously will make the output and the performance of that business as high capacity wise as it can be. But I think in this instance, it goes beyond the treatment of employees. All banks in their employee handbooks, in their acceptable use documents when an employee is onboarded, have an anti-bribery and just a limit on the acceptance of gifts that can be received from customers, vendors, or any third-party entity. If I'm a software vendor that provides you the anti-money laundering software platform, I can't send you a lavish gifts. I can maybe take you out for a cup of coffee or something under $15, $20 or sorts of things. So that anti-bribery policy is there and it's founded based off of best practices and those sorts of things. In this instance, if you look further into the DOJ finding, there was a quote from a Deputy Attorney General Lisa Monaco that said, "For years, TD Bank starved its compliance program of the resources they needed to obey the law." And that fundamentally is what we want to get into, or at least kind of my major point is, as you said in the intro, technology exists, services exist, laws, regulations, platforms, advisors, they all exist to be able to support, I'll say, a healthy anti-money laundering program. But when you starve that program, you don't have what's necessary to do the minimum required for the law. And I'd imagine if you don't give your employees the technology and resources that they need, regardless of how well you treat them, they're not going to be happy.
Penny Crosman (04:11):
So there are a couple of things I want to follow up on there because I definitely wanted to ask you about the idea of starving the compliance department, but just when you think about the branch employees, there was a description of a criminal network that just dumped piles of cash on the bank's counters, and another case that people were withdrawing amounts from ATMs that were 50 times higher than the daily limit. But just when you picture somebody dumping wads of cash on a teller counter, what is it about a bank that just lets employees go along with that and not question that? I mean, do banks need to have some kind of, if you see something, say something policy like we have on the New York City subway? That idea that everyone's just closing their eyes to this, what culturally causes that and what culturally could stop that?
Aaron Ansari (05:11):
Sure. So the primary business of a bank is to take deposits and make money off of those deposits from interest in loans and those sorts of things. If you look back, USV, Isaac Catan, Cassin, USV, Alfredo, Ruiz's Hernandez, these are money launderings back in the eighties, nineties where people would drive up with their cars, drug dealers in this instance, and healthcare fraudsters would drive up with their cars with trunks full of money, and the bank employees would help them unload the wads of cash and the duffel bags full of cash and put them in. From a deposit standpoint, the primary business is to take deposits, right? So you want to be as frictionless as possible when you're taking that deposit because the more assets that you have on hand, the better your business is and the more you're able to be able to conduct the business that you want to conduct.
(06:10):
So the more assets you have, the more loans you can get, the more small businesses that you can enable to do their jobs. So fundamentally, that first step for a bank to succeed is taking the deposit, and you want to make that as easy as you can as compliantly, if that's a word, or being as compliant as possible during that process. And that's sort of the key. If you look at the retail level. So when we're talking about a bank, lots of divisions, there's lending, there's financing, there's investments, and typically when I say retail, that's what I mean, the branches that you have out in the physical offices that do consumer and commercial deposits for business accounting. So when you look at the retail level, these bankers are incentivized to have more deposits to have more accounts. You think back to Wells Fargo when they were opening fake accounts under companies and humans that didn't exist.
(07:14):
Those bankers were incentivized by Wells Fargo due to internal contests and internal promotions that were based off of the number of accounts and deposits that they had on hand or loans that were applied for. And so the bank didn't do a good job to stop Wells Fargo from creating fictitious accounts. So looking at this, they want to do as much as possible to enable the deposits. I think recently there was a case of money laundering that came, I believe it was from some princess or royalty in the Middle East that wanted to deposit $9 million to start an account and was depositing large amounts or transferring large amounts of money to a financial institution from the Middle East with no, obviously we know about KYC, know your customer laws. Nobody had met this person and the story kept changing on if they were royalty or how they got their money or the source of funds and these sorts of things. Eventually the account was closed because it was proven to be money laundering. So good on the bank for finding things, but the primary function of the way that the business is, is to make that deposit and access to taking money as frictionless or as easy as possible.
Penny Crosman (08:35):
Well, your example reminds me of the Jeffrey Epstein case, and there was a large bank that kept him on as a customer for many years after he had already been indicted for various crimes. And the overall sense you got is that he was not a lucrative customer in his own right, but would be able to bring in other wealthy customers and that all of that overrode the compliance flags that continually cropped up on his account. So I don't know if there's an answer to this, but banks are intrinsically wired to try to generate revenue and to put that above things that are cost centers like compliance. I mean, is there any way to flip that around other than a very large fine?
Aaron Ansari (09:34):
The carrot versus the stick is an easy way to boil down this. And I mean if you look at this fine, it's astronomical. And to the people that I talk to in the financial services industry that see this, understand that this is a fine, this is actual cash on hand that's being given. It's not future profits or deposits or those sorts of things that are being penalized. This is the money that's sitting in their bank. And if you look at some of the reasons of how banks allow money laundering, right? There's a couple of main domains that I talk about. There's active collusion, right? Where key offices that are directly involved in circumventing regulations happen. So in your example, right, the gift cards and those sorts of things, there's active collusion with the fraudster to do this. So that facilitates laundering negligent practices, right?
(10:32):
A lack of compliance or internal checks that are in place that just allow this to happen. The point that I want to harp on next is exploitation of jurisdictional loopholes or regulatory weaknesses. For the longest time, the enforcement and or the penalty that came down to the poor practices that were being exposed, the fines didn't outdo the monetary value that was generated from the programs. So if you're generating a lot of money and loans off of the laundered money and your fine is much less than that, you're still making money. So these people, they're not suffering federal crimes or aren't going to jail themselves. So the bank still having to pay some sort of penalty in this instance while great is in certain instances, something that several institutions are just accepting as the cost of doing business.
Penny Crosman (11:52):
So basically there no way to make compliance feel more important except by making the fines extremely large?
Aaron Ansari (12:02):
For the most part, sure. I mean, I'm not going to say that people should go to jail over things like this because that gets into a larger discussion of corporate responsibility and individual responsibility to corporations. But at the end of the day, when you are found guilty of something by the DOJ and it's pretty obvious as your business practices supported that there are people within that organization that made the decisions to circumvent those best practices and to ignore the warning signs that were popping up as you just gave in your example. And in my mind, there should be some sort of recourse for the individuals as well as the organization.
Penny Crosman (12:44):
Most banks have transaction monitoring software that is supposed to flag the signs of money laundering. Why doesn't that work the way it should?
Aaron Ansari (12:58):
Yeah, so that other piece that I just mentioned, like circumvention of, we'll say technology jurisdictional loopholes or regulatory weaknesses is kind of the name of the game. And if you can sound convincing enough or be somebody that's committing fraud that will be able to bypass things for long enough, you can get away with a lot. An easy example is when you're laundering money, a lot of times people take out loans from institutions and then they pay back more than what's due on the loan each month. So they then have access to that additional funds that are being deposited back either to borrow from or to get a refund check for. And so in an instance, if I take out a loan and my payment is my installment every month is $10,000 and I pay $12,000, I get a $2,000 check back. And in that instance, I'm laundering money, right?
(14:07):
I'm using dirty funds to pay the $12,000 and I'm getting a certain, the $10,000, I pay $12,000 and I get $2,000 of it back. So there are certain ways that you can get around even the software and the regulations to find things. And from a bank perspective, it's great. Somebody's paying us on time, everything's good. And for most of the systems that cover or check that, because remember this is across multiple divisions or institutions within a bank, sometimes the software doesn't talk to each other. Sometimes the platforms don't necessarily align and you're able to get by for a long time doing things or operating sort of under the radar. And it's unfortunate, but from a business standpoint, you don't want to invest. These organizations are trying to be profitable, and if they don't have to invest more into people, into processes, into technologies that will mitigate this, they won't. And that's not just anti-money laundering, that's everything. Software, programs, benefits. Most organizations don't want to invest more than they have to from a bare minimum standpoint. And you see that I think more publicly with money laundering cases, but that pervasive across a lot of how an organization's culture is.
Penny Crosman (15:37):
So if a bank say is subject to a large penalty or thinks they might be, they realize they've got to step up their AML efforts, what might they do with their software? If this were you, would you look into an AI-based AML system? Would you look into tuning the AML system to have stronger signals? Are there other things that could be done from a technology point of view to help a bank better catch all of this? And I realize it depends on the bank and what's happening, but generally speaking, for instance, do you think AI is part of the answer?
Aaron Ansari (16:24):
Part of it? Sure. I don't want to go through and say that spend more money and grow your tech stack to be bigger and more complex is the answer. But I do want to say a couple of things. Setting up your environment correctly, ensuring cross-platform communication, ensuring configuration as it relates to the money laundering itself, as well as notifications of the team as well as investigations and enabling those sorts of things won't necessarily cost you more. So when I am consulting with somebody, I don't try to come in and say, well, you need to buy this newest and greatest and shiniest software, otherwise your program's just not going to work. It's not true. You can work a lot with what you have currently and we want to just ensure that we refine it so that it's as efficient as possible. Then once you've used the building blocks and the bricks that you've got in place, then we can talk about stacking more on top or we can talk about removing one component and adding something else in to augment things.
(17:39):
Artificial intelligence certainly helps from a scalability and from a fatigue standpoint for analysts that are doing the alert and the monitoring of these sorts of things. But there should always be a human in the loop. And when I'm talking to these organizations, I always want to make certain that there's enough human in the loop involved to where the team isn't being totally overrun with alerts and notifications so that they just get what's called alert fatigue and they just blanket accept or completely ignore things that are medium or low criticality. When we're looking at things refinement of those rules, high, medium, low or super critical is paramount because not every alert should be super high critical, but not every alert should be medium or low. And that's where artificial intelligence can really help because if you're using a software platform that will help you understand the nuances and the components between what is hair on fire and what is, we could probably ignore this and look at it once we get a more capacity on the team, that's where you're really going to have a good balance and have a lot of value to both your customers as well as your compliance and regulatory team.
Penny Crosman (19:02):
Yeah, that's an interesting observation that the red flags could be given indicators of how hot and cold they are. And when you talk about this refinement, is there an element of law enforcement or somebody providing some of the patterns of behavior that money launderers are having and then you can kind of plug that into your system. So if this network is doing has this pattern of transactions and these regions for instance, then you might be on the lookout for that. Is that part of that work?
Aaron Ansari (19:43):
For certain. Years ago, w would use what's called rules-based methodology. And if you think of them as if-then statements, if you deposit more than $10,000 cash, then you get a phone call, or if you transfer more than X amount of dollars in a 48-72 hour period, you get a phone call or an investigation. Now, obviously there's more complex stages that criminals have used to bypass these things. There's called the placement stage where there's structuring or currency exchanges or asset purchases that are done sort of in the first step to move dirty money to put it in some sort of legitimate financial system or financial structure so that if it's an asset or some courtesy exchange that's happening, it looks to be a little bit more legitimate. And then that's harder to track from rule standpoint. And so if you start writing a thousand rules to look at every transaction, your transactions start to slow down.
(20:53):
So this is where artificial intelligence comes in and it's able to do complex analysis at millions if not trillions of permutations per second, and it's able to come through and say, Hey, okay, I know what placement staging looks like. I know what layering stages or concealing the source looks like. I know what integration stages or legitimizing funds looks like, and I'm going to go through here and I'm going to tell you this is the integration stage or this is the layering stage, and you should look at it. The rub comes between applying those techniques or those systems to legitimate transactions, and then you've got an instance where you're stopping a business from being able to do its business or stopping grandma from transferring money for Timmy's college fund sort of thing. However, most institutions need to either educate their consumers on the fact that this is going to be coming or do more for it because I keep going back to it, TD is the 10th largest bank in the world, or at least North America, and they're hit with a $3 billion penalty. That is a lot of money to be penalized and inconveniencing the customer is probably going to be something that's more of the norm as organizations start to tighten up on the analysis that's used to do these stages.
Penny Crosman (22:28):
Well, that's another really interesting aspect of this because you and I have talked about this before, but when banks really ratchet up their flagging process, whether it's for AML or for other kinds of suspicious transactions, that legitimate consumers can suddenly get locked out of their accounts, have their accounts shut down or frozen. And I think we talked about how AI can help with that as well. Can AI kind of help to find the nuance between the legitimate money launderers versus someone who just went on a worldwide trip and was buying gifts for friends or something like that that might look anomalous?
Aaron Ansari (23:18):
For sure. And what we need to think about here is consumer or small time versus big time. And what I mean by that is certain software packages automatically decline and even close accounts. And okay, I closed John's account and I no longer have John with a $100,000 in deposits in my bank, boohoo. Is that worse than a billion dollar fine in actual cash on hand? Never. And I could lose a hundred Johns or a hundred John's businesses or Jane's or Sally's businesses and still not equal the penalty that could come from future deposits versus cash on hand. And so you will see, and I think you have seen software packages and platforms and artificial intelligence algorithmic decisions that are being made that are automatically just telling the retail banker that, Hey, the system was closed. I don't know why it was closed. If I'm at the retail bank level, I don't know why it was closed. The system just says it's closed, so sorry. We can open you a new account or we can transfer this over to another institution or something for you. You don't typically lose access to your money, but that inconvenience is so much more minimal than the actual fine is.
Penny Crosman (24:47):
Interesting. Is there any other kind of technology that could be brought to bear on these money laundering cases? For instance, do you think banks are going to be looking at employee surveillance to try to catch these kinds of complicit behavior that we saw in this case, or are there other things that the banks could be thinking about that could help them not allow criminals to use their banks as part of their networks?
Aaron Ansari (25:20):
So insider fraud, that's something that's a tough thing because you want to trust the employees that you have working for you, and it's appropriate that you started this discussion with culture as the question that you posed, because coming back around to it now, do I want to work in a culture where every decision I make is scrutinized and watched, monitored, questioned? Probably not. So having that balance between enabling the employee to do their job as well as trusting the employee to do their job versus ensuring that there aren't some bad actors within your organization is certainly going to increase. And I think you'll see, I won't say big brother-like monitoring, but I will say software that's used to look at insider threats or insider malicious activities for sure. The other thing, and I think you'll see this come to light in the next few years is, and I'm not trying to use buzzword bingo here, but distributed ledger technology or blockchain, right?
(26:37):
You've got blockchain that provides immutable transparent records of transactions that make it easier to trace money. I'm not talking about Bitcoin or those sorts of things, but I'm talking about the smart contracts, decentralized identifiers, transparent transactions that can come with sort of that DLT distributed ledger technology. That'll be something that I think will help once it gets more than where it is now, which is completely nascent. Once it gets a little bit bigger, and I won't even say mainstream, I'll say just accepted as part of a technology stack. I think you'll see that help a little bit as it relates to understanding what's happening. And then I think at the customer level or even the, I'll say the retail level, enhanced technologies for KYC, we will start to help. I think you'll see a larger proliferation of fingerprint, facial recognitions, biometrics, those sorts of things that'll enable KYC to be easier and more frictionless, provided that you can mitigate the stolen voice AI sort of things that come out there and mimic somebody's voice or do the facial overlays. From a deepfake standpoint, I do think you'll see some sort of enhanced customer verification that can come and bypass some of the threats that's coming off of things as well as better refinement, more cloud computing and scalability that comes to the A ML things that are there, robotic process or automations that can be applied to a ML and repetitive tasks and those sorts of things that'll come into play. You'll start to see that proliferate more and more.
Penny Crosman (28:45):
Well, that makes sense. Well, Aaron, thanks so much for joining us today, and to all of you, thank you for listening to the American Baker Podcast. I produced this episode with audio production by Adnan Khan. Special thanks this week to Aaron Ansari. Rate us, review us, and subscribe to our content at www.americanbanker.com/subscribe. For American Banker, I'm Penny Crossman and thanks for listening.