Part I. The Urgent Need for Financial-Crime Risk Management in Asia
The costs of financial crime are rising, and financial institutions in Asia are having to bear them. Given the concentration of capital flows into and within the region, the direction being taken by governments across the region, and the spate of financial-crime events in the recent past, financial institutions need to prepare to mitigate the risks associated with such crimes if they are to protect economic value and limit reputational damage.
For example, in February this year, a large Indian public-sector bank was involved in fraudulent transactions exceeding $2 billion. Owing to the market’s reaction to the news, the bank’s shares dropped by almost 40 percent in three weeks. This happened due to the lack of adequate controls systems in the bank, which allowed criminals to work through loopholes in the system and bribe internal employees to help them commit fraud.
While this has been dubbed the biggest fraud in India’s banking history, it is by no means an isolated incident in the region. In Australia, at the end of 2017, one of the Big Four banks was accused by AUSTRAC of breaches of anti-money laundering and counter-terrorism laws. By the first quarter of 2018, the bank admitted culpability in half of the cases. Recently, it agreed to pay a $523.8 million fine.
This as an issue that financial services institutions all over Asia need to deal with urgently, before the costs become too high. Given the extensive flow of foreign funds into the region in the form of foreign direct investments, it is imperative for Asian banks to actively manage and mitigate risks associated with financial crime. This will not only limit freedom for criminals and rogue states to operate, but it’s also a simple protection against financial distress.
Separately, regulators in the region will also expect much more of the banks in terms of monitoring, controls and reporting. As a result, banks will have to move closer to international norms in terms of investment in preventing financial crime.
How Can Financial Institutions Prepare?
Many firms that find themselves early in the journey of investing in financial-crime risk management may struggle to know where to start and how to get a grip on the issues.
The first step is establishing a positive relationship with the regulator. Most supervising bodies appreciate the complexities with which the bank is dealing. They are aware that controls sometimes represent a trade-off with customer experience, that systems may themselves prevent the creation of perfect controls environments, and that cultures and behaviors are slow to change.
Nevertheless, their expectations have moved, and we suggest an action plan targeting six areas for gains to get started:
Communication. Senior leadership needs to communicate the importance of financial-crime controls down the hierarchy. Boards and executive committees need to be well-versed in specific examples of failures of financial-crime controls and their implications. These can then be used to school leadership teams in the criticality of quality risk management in this area.
Culture. Uncertainty about the purpose of a transaction must be unacceptable in the culture of the organization. This will be critical not just for management of financial crime, but also for good conduct and to satisfy community expectations. The playing field of expertise in finance is not level between provider and customer: Bankers will be expected to have a solid grasp of transaction logic. Unusual requests should be met with questions, not executed regardless. This can be turned into a competitive advantage if done well and seamlessly.
Compliance. All staff need to understand the organization’s obligations for clear and transparent reporting to regulatory and supervisory bodies. Staff should be aware of their role within that overall obligation. Compliance must be a “gate” and basic requirement at all levels.
Coverage. Technical aspects of managing financial crime are equally important: All transactions need to be screened, and all customers need to go through know-your-customer procedures of the desired quality. Risk assessments need to be thorough, and tested scenarios need to be comprehensive to cover all products and segments. All geographies, branches and subsidiaries need to meet minimum standards, which are well-articulated and understood.
Computation. While financial crime is a major issue for all banks, armies of people conducting transaction checks and monitoring is not the answer. The most advanced institutions are finding radical increases in productivity from analytics. To this end, Citigroup president and chief executive of the bank’s institutional clients group James Forese, believes that the bank could replace up to half of its 20,000 technology and operations staff with machines over the next five years. According to Mr. Forese, operational positions at the bank were “most fertile for machine processing.” It is an increasingly common sentiment. Transaction monitoring is moving from merely screening to the use of advanced analytics and machine learning. Prioritizing the files for manual review frees up expensive expert time for cases where it is most needed. Large complex organizations such as HSBC have realized double digit gains in productivity and helped set the goalpost for the industry.
Cooperation. There are areas where cooperation in the industry is possible and to everyone’s benefit, such as in the creation of utilities for processes that meet KYC requirements. Well-targeted cooperation makes regulators more—rather than less—comfortable, customers more satisfied (assuming privacy can be handled appropriately), and banks more efficient (where incentives are aligned).
The Risks Are High
The cost of poor financial-crime risk management falls heavily on society as a whole—but especially heavily on the pockets of shareholders in firms judged to have materially missed expected standards.
The response needs to be broad and deep, raising seniority of issue ownership, capabilities, and engagement at all levels of the industry. But the costs of doing this will be high. We expect that most banks will need to at least double their annual spend on financial-crime risk management in a business-as-usual state. Additionally, many banks that are coming from a lower base will need to significantly upscale their financial-crime control environment to meet international norms.
The high associated costs notwithstanding, this is an issue that financial institutions in Asia need to confront sooner rather than later.
To read the full paper, click here.
Part II. Financial Crime Implications for Asian Financial Institutions and Businesses
How does financial crime manage to fly under the radar? First, it is intangible—a few more or less zeros on a bank statement—making detection and investigation harder. Second, in financial crime, generally there aren’t any deaths or injuries in the conventional sense. Someone may lose money, but often the “victim” is a government or company, entities that many find hard to empathize with. Third, regular crimes have decades if not centuries of being socialized. Conversely, many financial crimes such as tax evasion and theft of commercial secrets have been conceived relatively recently.
But one form of financial crime is likely to gain prominence in the coming years. Money laundering, which is linked to offenses of terrorism financing, nuclear proliferation and the circumvention of economic sanctions, is likely to be countered by more regulation in the near future.
Firms in the Asia-Pacific region should take notice.
The Challenge of Money Laundering
Money laundering has been regarded as an offense for less than 30 years. The first instrument adopted internationally was the United Nations Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances in 1988. Also called the Vienna Convention, it addressed the issue of proceeds of crime and required that member countries establish money laundering as a criminal offense. The aim was to attack cross-border criminal organizations by deterring the flow of money from criminal activities via financial systems.
An intergovernmental body, the Financial Action Task Force (FATF), was set up in 1989 to help tackle the problem. Since 1990, the FATF has issued global standards to fight money laundering called “Recommendations.” It also conducts reviews of each country at different points in time to assess the country’s compliance with the Recommendations.
These Recommendations and evaluations encourage governments to establish their own measures to identify, seize and confiscate criminal assets. The Recommendations ask countries to implement measures for financial institutions and certain designated nonfinancial businesses and professions to conduct customer identification and record keeping and report suspicious transactions.
The scope of money laundering includes proceeds derived from all serious crimes, also known as “money laundering predicate offense” (MLPO). Countries must also make the conversion or transfer of property derived from a MLPO or concealment of the source or ownership of property from a MLPO a money laundering offense.
The first Recommendations issued in 1990 dealt with laundering of drug money. The Recommendations have been successively revised to require countries to criminalize terrorist financing, nuclear proliferation and tax evasion and to designate them as money laundering predicate offenses. New Recommendations have been added that require countries to implement financial sanctions to comply with United Nations Security Council resolutions relating to counterterrorist financing and nuclear proliferation.
Through the efforts of the FATF and revisions of the Recommendations, the concept of money laundering and the range of offenses continue to evolve. Money laundering laws have become a powerful catchall deterrent against all types of serious crime including newer types of identified systemic threats.
Most countries, including in the Asia-Pacific, have adopted the Recommendations and instituted money laundering measures in their domestic laws. Under the Recommendations, countries must assist each other on issues of money laundering, associated predicate offenses and terrorist financing investigations, prosecutions and related proceedings. Governments may request assistance from their counterparts in identifying and investigating persons who commit tax evasion. Assisting governments may take high-profile enforcement measures against financial institutions and designated nonfinancial businesses in their jurisdictions to demonstrate upholding anti-money laundering measures and deterrence of illicit activity.
Challenges for Businesses in Asia-Pacific
Amid the projected rise of enforcement of money laundering regulations, compliance may be challenging for financial institutions and designated nonfinancial businesses because:
Money laundering rules are not uniform across countries.Although the Recommendations are standard, in its evaluations of countries, FATF allows individual countries to calibrate their implementation of the standards in accordance with the level of money laundering risk that each country has assessed it faces. Therefore, anti-money laundering regulations and standards can vary significantly across countries. Also, unlike other global regulations, there is no one uniform deadline for implementing the Recommendations and different countries have tended to strengthen their money laundering laws at different times.
The lack of uniform money laundering laws across jurisdictions complicates the implementation of money laundering measures.Firms’ business activities often involve cross-border financial or trade flows. Where a counterparty or customer does not adhere to the same anti-money laundering measures, a request for customer identification information and documents may be hard to explain and obtain. Within a firm that is a multinational group, differing money laundering laws within the group across jurisdiction poses complexity in implementing and monitoring compliance.
New money laundering predicate offenses continue to be added, and new methods of crime continue to evolve. One example is tax evasion, which was only designated as a money laundering predicate offense in 2012. It is relatively hard to spot, as tax regimes are complex and vary across countries. Thus, it could be hard for firms to detect if they are dealing with tax evaders or proceeds of their criminal activity, especially if there is a cross-border element involved. Technological innovation such as cryptocurrencies can also lead to new avenues for money laundering.
There is no one checklist that tells a firm or its employees how to spot potential money laundering. The Recommendations state that anti-money laundering is based on a risk-based approach—not a single unified checklist. Therefore, assessing the risks of money laundering may entail weighing macroeconomic, geopolitical and commercial considerations as well as understanding tax regulations.
Scarcity of resources. There could be a scarcity of infrastructure or talent available in the Asia-Pacific region to handle compliance. Firms will be required to maintain the right infrastructure for identifying money launderers and to hire the right talent that can deal with complex risk assessments and judgments. This talent infrastructure will come at a cost.
Money laundering is a type of financial crime that is likely to grow in prominence globally and in the region. Firms within Asia-Pacific should pay closer attention to money laundering regulations and become familiar with them. In this process, they should be assisted by governments and regulatory bodies, which should frequently educate industry and share practices to help firms understand how to fight money laundering.
Part III. Risk and Compliance: Data Science and Company Culture
Since the financial crisis, the largest global financial institutions have radically overhauled their business and operations in response to the growing push for greater compliance requirements. It is estimated that within a segment of the European market, financial institutions spend an estimated $83.5 billion annually on their risk and compliance departments across technology and employees.
Banks have launched partnerships with the public sector and startups alike, aimed at increasing awareness about how peer institutions are grappling with the evolving global regulatory environment and fostering innovation to meet their requirements without hindering their responsiveness.
For example, Standard Chartered, a 160-year-old bank, partners with startups through eXcellerator, an innovation lab that helps teams across the bank problem-solve, spread best practices and re-engineer from the ground up. This lab identifies new and better ways of doing things across the enterprise and serves as a gateway for the bank to foster innovation across diverse markets in Asia, Africa, the Middle East, Europe, and the Americas.
Many of the markets that banks serve look to OECD regulators for guidance and stability. But stability does not mean accepting the status quo.
Standard Chartered, for example, is conducting a simultaneous experiment in a mature and budding market: Just recently, the bank applied for one of Hong Kong’s first virtual banking licenses, and it did the same in Côte d’Ivoire. Similar businesses—but vastly different technology.
The Need for More
Despite all this necessary investment, the returns have been underwhelming. Banks struggle to share insights across internal departments, between relevant stakeholders or partners, and with regulators.
Part of this can be explained by the difficulty of modernizing the vast underlying banking technology infrastructure. Moreover, many banks are exploring how to fully use the massive amounts of technology they’ve invested in. Some institutions are ahead of others and rightly so: Different regulators have different tolerances for balancing stability of the financial system versus cultivating innovation that increases financial aptitude. This will take time.
But the problem runs deeper than that: Too many banks are failing to adequately train their vast new corps of employees. Technology is changing the way all facets of the modern workforce solve problems. Banks’ workforces simply aren’t keeping pace.
The Right Culture
Fostering a culture of innovation is a good start. Management must instill in employees a startup mentality and avoid developing what Jeff Bezos calls a “Day Two mentality,” wherein employees overlook outcomes and “the process becomes the proxy for the result you want.”
Day One innovation means focusing on the customer and the result—in a marketplace where the customer has overwhelming options, only the best products and services will survive. This holds true even if your customers are, in fact, internal stakeholders or regulators.
One arrow in the quiver should be data-science skills. Banks already earmark training time and dollars, but a larger slice needs to go to training risk and compliance professionals with these valuable skills.
Data science has three components: data; software to use and explore that data; and most importantly, good questions to drive what one is looking for.
Acquiring data-science skills doesn’t require a yearlong master’s degree. In fact, much of this type of development can be done on the job, infused with intense training bursts. Early in my career, I took a two-week, employer-sponsored ethical-hacking boot camp because I was interested in cybersecurity. With a degree in political science, I understood the consequences of cyber threats, but couldn’t roll up my sleeves to compete as a young consultant without hard command-line skills. After spending eight hours a day for two weeks in a hotel conference room in rural Virginia, I walked away with marketable skills. This experience taught me that if a liberal arts major can learn how to hack into a simulated environment, a lot can be accomplished through booster shots of learning.
With a little creativity, banks’ training departments can design low-cost, flexible and effective courses by partnering with learning institutes, such as Coursera or General Assembly, that offer relevant boot camp-style programs. Banks could tailor these existing courses with their own specific case studies, involving employees across functions, age groups, geographies and up and down the organizational ladder.
According to a joint J.P. Morgan–Singapore Management University study, the ASEAN Economic Community’s core members—Singapore, Malaysia, Thailand, Indonesia, and the Philippines—face a shortage of industry-ready skilled workers. While Singapore is a high-income nation with a well-educated workforce, the International Labour Office cites that the country is facing a challenge of strengthening the role of innovation in its education and training institutions.
However, Singapore has started taking initiatives to strengthen innovation in its training institutions. Its Skills Programme for Upgrading and Resilience, for example, aims to equip employees with new skills for the future. Many similar systems and initiatives exist and serve as an example for other countries in the region.
Hand in Hand
To be sure, technology can’t replace social graces, curiosity or creativity, and banks’ training departments need to foster programs that boost soft skills as well. Data science can empower leaders to solve increasingly complex problems—but in the best cases, these hard and soft skill sets work together.
It’s no secret that the risk and compliance role is changing. Employers and employees must work together to acquire the technical skills required to compete in the 21st century while not losing sight of the soft skills that got us here.
*The opinions are the author’s own and do not reflect the views of his employer.
Authors: David Howard-Jones, Jayant Raman, Sinyee Koh, Jeremiah Sadow