The expanding use of facial recognition technology for ID verification, user authentication, and accessibility is finally coming under fire from privacy evangelists worldwide. Proponents of digital privacy are talking about user consent, data context, transparency in data collection, data security, and lastly accountability. Adherence to strict principles of privacy, as well as free speech, entails proper regulation aimed at controlled use of facial technology.
Facial scanning systems are used for a variety of purposes: facial detection, facial characterization, and facial recognition. As a major pillar of digital identity verification, facial authentication serves as a means of confirming an individual’s identity, and stores critical user data in the process. The technology is keeping the trade-up by allowing users broader use of digital platforms and enhanced knowledge of data collection.
The Digital ID Market: A Snapshot
Digital identity verification is changing the way companies are working. In Europe alone, the expected growth of the identity verification market is found to be 13.3% from 2018 to 2027. By then, the market will have grown to US$4.4 billion. By the year 2030, the McKinsey Global Institute puts value addition by digital identification at 3 to 13 percent of GDP for countries implementing it.
At the same time, cybersecurity threats are also on the rise, indicating a glaring need for enhanced security solutions for enterprises. According to Juniper, cybercrimes have cost $2 trillion in losses in 2019 alone. By 2021, Forbes predicts this amount will triple as more and more people find ways to mask identities and engage in illicit activities online.
As a direct consequence of this, the cybersecurity market is also expected to grow to a humongous $300 billion industry, as apprehended in a press release by Global Market Insights.
As technological advancement fast-tracks, this figure will probably grow in proportion to the growing threats to cyberspace, both for individuals and enterprises.
Facial Recognition Data Risks
Formidable forces tug at the digital user from both ends of the digital spectrum. Biometric data, while allowing consumers to avail a wide range of digital services without much friction, also continue to pose serious risks that they may or may not be aware of.
Facial recognition data, if misused, can lead to the risks that consumers are generally unaware of, for instance,
Diminished freedom of speech
Much has been said about the use of facial recognition technology in surveillance by law enforcement agencies. At airports, public events and even schools, facial profiling has led to serious invasion of privacy that is increasingly gaining public traction. While most users are happy to use services like face tagging and fingerprint scanning on their smartphones, privacy activists are springing into action with rising knowledge and reporting of data breaches.
Let’s dig deeper into one of the most potent cybersecurity threats linked to facial recognition technology: Deepfake.
How Deepfakes Impact Cybersecurity
In the world of digital security, deepfakes are posing a brand new threat to industries at large. To date, there are 14,678 deepfake videos on the internet. As barriers to the use of AI are lowered, adversaries share the same access to advanced technological capabilities as regulators. High rates of phishing attacks are targeting financial institutions, service providers and digital businesses alike. Representation of enterprises is at risk as deepfakes are fully capable of altering videos and audio without being detected.
This has profound security implications for identity verification processes based on biometrics, which will find it harder to identify the true presence of a customer.
With the pervasive use of evolving technology, cybercriminals will find it easier to access sophisticated tools and nearly anyone can create deepfakes of people and brands. This involves higher rates of identity threats, cyber frauds and running smear campaigns against public personalities and reputable brands.
For facial identification software, this means fake positives created by deepfake technology can assist cyber criminals in impersonating virtually anyone on the database. Cybersecurity experts are rushing to integrate better technological solutions such as audio and video detection, in order to mitigate the impact of deepfake crimes. More subtle features of a person’s face will be recorded in order to detect impersonators.
However, it is impossible to turn a blind eye to the raging speed at which the use of generative adversarial networks is making deepfakes harder to detect. According to experts, the underlying AI technology that supports the proliferation of such impersonation crimes is what will fuel more cyber attacks.
Blockchain technology might also help in authenticating videos. Again, the success of this solution also depends on validating the source of the material, without which any individual or enterprise is at high risk of being maligned.
Implications Across Users
Gartner warns enterprises about the use of biometric approaches to identity verification, as spoof attacks continue to riddle the digital security landscape. While popular celebrities can be exploited by incorrectly using their facial identity in pictures and videos, large corporations are also at high risk of being targeted.
Sensational announcements about the company or industry trends can lead to stock scares and other financial repercussions. Fake news and misinformation have the potential to cause meltdowns in political landscapes. Additionally, doctored videos on social media can cause an uproar among certain demographics, leading to social unrest.
Identity Verification Technology – A win-win approach
With more and more companies using digital onboarding solutions, the threat of deepfakes is real and must be effectively countered. Companies are no longer looking only for identity solutions that make the best use of customer biometrics. Instead, they now have an increasing interest in how the stored information is safeguarded against burgeoning cyber threats.
The first step in resolving digital impersonation crimes is to be fully aware of the possibilities as such. Enterprises and professionals need to be apprised of the rising misuse of digital verification software, and the likelihood of personal data being compromised.
Face swapping technologies must now be matched with face detection software that helps identity fake videos and content that misleads. In addition, digital security solutions must be ramped up, especially those involving the use of sensitive client data.
Biometric authentication and liveness detection solutions
Liveness detection, as an added feature of facial recognition, provides an efficient solution to deepfakes as fraudulent attempts at using past photos/videos to bypassing biometric identification increase. The same technology behind deepfakes can also be employed to counter frauds and spoof attacks, to ensure that personal data is not compromised for cybercrime.
Differentiating between spoofs and real users became easier as additional layers of security are added to the verification process. Users are required to appear in front of a camera and capture a selfie or a live video.
Shufti Pro performs biometric analysis to validate true customer presence, with markers that check for eyes, hair, age, and color texture differences. Coupled with microexpressions analysis, 3D depth perception and human face attributes analysis, this ID verification process ensures maximum protection against digital impersonators.
More on Liveness Detection as an AntiSpoof measure here.
Summary: Sixth Anti-Money Laundering Directive (AMLD6) highlights a stringent framework to combat money laundering and terrorist financing. It extends the scope of criminal liabilities and entities with an updated list of predicate offenses. AMLD6 came up with tougher penalties and widens the criminal liability to legal persons.
The European Commission affirmed action plans to tighten the reins on mounting money laundering and terrorist financing. On 26 June 2017, the 4th Anti-Money Laundering Directive (AMLD4) came into force contributing to the same idea of combating bad money flow. It stated the regulations for information exchange and its operation among financial institutions. After this, EU co-legislators identified the need for amendments in AMLD4 which were declared in AMLD5. These changes are expected to come into effect by the 10th of January 2020 and state sectors which need to strengthen the standard operations to deter the risks of money laundering. Also, it asserts that the sectors facilitating criminal activity will be subjected to harsh regulatory penalties. Recently, the EU Commission came up with Sixth Anti-Money Laundering Directive(AMLD6) published in the EU’s Official Journal. AMLD6 introduces a harmonized authoritarian framework for the elimination of money laundering.
AMLD6 strengthens the existing norms of anti-money laundering. It establishes minimal criminal liability rules for money laundering by setting it’s clear definition and stating predicate offences, enforces minimal sanctions and extends criminal liability to legal professionals. It reinforces the framework with the police cooperation point of view. Furthermore, the Directive sets specific requirements regarding information records and requests, sensitive data processing, and restrictions to rights.
AMLD6 – New Measures and Amendments
EU Commission proposed new measures to fight against terrorist financing and money laundering activities. Commission believes that existing models are neither comprehensive nor consistent. It suggests that definitions should be cleared at the national level and scope should be widened that covers the industries with a broader perspective. It further elaborates that criminal proceedings are innovative enough to exploit the parliamentary discrepancies. These weaknesses become the source of opportunities for money launderers to convert their ill-gotten gains to good money.
The draft provided by EU legislation is obliged to send it to Parliament as well as Council. The trialogue of three bodies will reproduce an agreed document that would be accepted as a new EU law. Denmark will not be affected by this law due to its legal agreements and the UK government may be opted out of the adoption of AMLD6 notwithstanding Brexit agreement. The fundamental component of AMLD6 is the list of 22 predicate offences. AMLD6 defines these predicate offences explicitly which will definitely impose obligations on the firms. Companies would have to take in place monitoring systems to detect direct and indirect links facilitating predicate offences.
Following are the key elements of AMLD6 that incorporate criminal legislation:
Harmonized list of Predicate Offences
The scope of 22 predicate offences has extended. Now it includes the emerging threats of environmental crimes and cybercrimes in the EU. Environmental crimes refer to those that set out in legal acts of the Union. Similarly, cybercrimes are declared as predicate offence that was not catered in the FATF recommendations. Tax crimes are also in the scope of AMLD6, the crimes that directly and directly committed due to tax commutation. To avoid the ruinous circumstances, firms should familiarize themselves with the expanse of 22 predicate offences.
Aiding and Abetting, Inciting and Attempting
The money laundering scope is extended in AMLD6. Now, aiding and abetting, and inciting and attempting lies under the premises of money laundering perspectives. By including these entities that are called ‘enablers’, money laundering tracking can become easier. These entities are considered the facilitators of the money laundering process. Therefore, AMLD6 extends its boundaries for money launderers to combat the risks of embezzling funds transfer.
Criminal liability extension to Legal Professionals
Recalling AMLD5 in which legal professionals were spotlighted to undergo client identity verification and keep accurate information about them. AMLD6 focuses on the evaluation of legal professionals. According to which, criminal liability is extended to legal professionals i.e. partnerships and companies. It is applicable to those who facilitate money laundering through their businesses directly or indirectly for the sake of their own benefit. Legal professionals would be answerable if Individuals who caught transferring illicit funds is not identified.
In addition to this, the representatives, executives, supervisors, and decision-makers who lack proper individual authentication or supervision would be accountable for facilitating criminal activity.
Tougher Regulatory Penalties
One of the most important area covered in AMLD6. The Directive says that all Member States are supposed to set the imprisonment of at least four years to deter money laundering. The business that caught facilitating money laundering would be temporarily or permanently banned. Also, there would be the closure of business units and operations, exclusion from public funding access, halted grants and concessions through which predicate offence is committed. Wise companies are in the race of complying with the regulatory norms to avoid harsh fines and reputational loss of a company.
The rising exposure to money laundering is alarming for industries and businesses. Any entity that facilitates money laundering or terrorist financing actions will be sentenced with heavy penalties. Companies are seeking innovative solutions to tackle money laundering and to perform efficient monitoring of bad money flow through Artificial Intelligence and Machine Learning techniques.
Data Protection and Privacy
This initiative facilitates competent authorities to take in place stringent mechanisms through which personal and sensitive data is collected and processed. The fundamental rights of the subjects should not be compromised in any way. The directive focuses on data protection and privacy rights, the information collection should be minimal and should not include any financial information, for example, financial transactions or credit in bank accounts. Although a limited set of information includes personal data i.e. subject’s name, bank account number, date of birth, etc. Information on the total number of bank accounts of the subject is necessary for the purpose of investigation.
Sixth Anti-Money Laundering Directive (AMLD6) will be formally published and adopted in the EU’s Official Journal and at least after 26 months of coming into force, firms would have to comply with the directive. Member States have to follow the regulatory provisions and laws to take into account the associated predicate offences that could be promoted in the premises of legitimate business in any way.
Financial Action Task Force (FATF) has been very keen on eliminating financial crime (money laundering, terrorist financing) at a global level. The regulatory authority recommended some major changes in AML (Anti Money Laundering) practices and screened the AML practices of some of its members (direct or indirect) and also, added new countries in its member’s list.
FATF is one of the most influential global financial regulators. It has 39 complete members and several members under its affiliates (APG, CFATF, EAG, etc.) around the globe working on a thorough implementation of AML regulations. FATF is always keen on eliminating money laundering from all the countries and territories. Numerous industries including financial and non-financial sectors are added to the scope of reporting entities of FATF recommendations.
In a wake to ensure global compliance, FATF is always in search of loopholes in AML and CFT (Counter Financial terrorism) regulations and compliance practices of the member countries. Regular screening of AML practices of its member countries is a part of its operations.
In 2019 as well, FATF took some vital steps to expanded the scope of its regulations to a global level and to cover the gaps between global AML regulations.
Saudi Arabia Became the First Arab Member of FATF
FATF expands the scope of its regulations to a global level by adding new members. Becoming a member of FATF requires the country to fully comply with FATF recommendations making it almost impossible for criminals to exploit it.
Saudi Arabia is setting standards for the Arab and Middle eastern countries by becoming a member of FATF. the country was practicing the global AML and CFT regulations for the last four years. Also, in March 2019, it was about to be blacklisted by FATF, but missed it closely and now becomes full member of FATF.
Financial institutions and businesses offering any types of financial services will be liable to comply with global AML regulations. This means the latest AML recommendations of FATF regarding cryptocurrencies and the legal sector will also be imposed on the reporting entities in Saudi Arabia. This initiative of Saudi Arabia will bring more business into the country as it is identified as a safe country by fully complying with the 40 recommendations of FATF. Meanwhile, the businesses in the country will be under the strict scrutiny of the regulatory authorities.
It is high time that businesses in Saudi Arabia should identify the crucial need to practice complete AML compliance.
Pakistan in the Greylist
FATF keeps an eye on its member countries by screening their efforts to eliminate money laundering and terrorist financing. Pakistan is a member of the Asia Pacific Group on Money Laundering (APG) and was under the scrutiny of FATF since 2018. The reason behind this scrutiny is the terrorist attacks in India. It was claimed by the Indian authorities that the terrorist activity was executed by a terrorist group in Pakistan. Also, the Panama Papers placed a question mark on the AML and CFT practices of Pakistan. The regulatory authorities in Pakistan are required to take proactive measures recommended by FATF to be removed from the grey list.
In 2019, FATF made an analysis of the AML practices of regulatory institutions in Pakistan. The decision has to come regarding, whether Pakistan will be added to the blacklist or not.
It shows that FATF does not ignore any kind of non-compliance by its member states. In order to maintain the good image of their country, the member states are always in a wake to adopt stringent practices to enforce AML compliance in the business sector (financial and non-financial). Because becoming a member of FATF of just the first step, the countries have to go through regular screening of FATF and need to maintain a crime-free financial infrastructure in the country.
So, the businesses in full member countries and indirect-member countries are in dire need of practicing complete AML compliance. As non-compliance will lead to dangerous consequences like huge fines and loss of credit rating, loss of credibility, etc.
Changes in FATF Regulations
FATF gives recommendations whenever it finds a loophole in global AML and CFT regulations. In 2019, the authority gave some major recommendations to its member countries.
FATF recommended AML compliance for the cryptocurrency and legal sector in 2019. The legal sector is required to screen the Ultimate Beneficiary Owners (UBOs) of the entities they represent.
Also, the cryptocurrency businesses are required to practice AML and KYC compliance just like the financial sector.
The reason behind these new recommendations is the increase in fraud in these sectors. Cryptocurrency is widely exploited by financial criminals at a global level. According to a report, $1.1 billion of cryptocurrency was stolen in 2018. On the other hand, the legal sector is also exploited by money launderers to incorporate their black money into the business proceeds of shell companies. That is why the legal professionals are required to verify the identity of UBOs of business entities they are serving.
FATF also recommends the art dealers and precious metal dealers to practice KYC screening on their customers and to report transactions above the predetermined threshold.
Why Do Businesses need to Practice AML Compliance?
The businesses in the financial and non-financial sectors are covered in the scope of AML recommendations of FATF. Operating in countries that are full or indirect members of FATF, the businesses are obliged to practice thorough compliance with global AML regulations. Harmful consequences follow the non-compliance practices of businesses.
Non-compliance could result in fines, loss of credibility, credit rating and market value, and in some cases complete shutdown of the non-compliant entity. For instance, take the case of the Danske Bank’s Estonia branch which was closed due to a huge money-laundering scandal. Also, the bank faced several lawsuits and huge penalty.
The recent efforts of FATF show that the entity will leave no rock unturned to eliminate money laundering at a global level. So, it means that businesses have no other option but to take proactive measures against financial crime. Running real-time KYC and AML screening on the customers before onboarding them eliminates the risk at the very beginning. It enhances the credibility and credit rating of a company along with proactive fraud prevention. Such steps will help businesses in gaining a competitive edge. Hence, such proactive measures create a win-win situation for businesses.
In this era of technology, it is a common saying that “Innovation leads and regulation follows.” This couldn’t be any truer with the adoption of the Fifth Anti-Money Laundering Directive (AMLD5) by the European Union. AMLD5 is basically an extension of the previous iteration – AML4. Both of these directives are to tackle and control the on-growing power and risks associated with the use of technology by criminals.
Moving into the fourth industrial revolution, businesses are completely under the limelight of technology. Of course, the criminal world is also taking advantage of technology to carry out their operations more effectively and anonymously. This drives the attention of government and regulatory agencies to come up with stricter directive for businesses to curb criminal activities.
The aim behind the introduction of AMLD5 is to prevent money laundering, terrorist funding and illicit transfer of money throughout the financial industries of the EU. The same was the goal statement of AMLD4 but in some ways, AMLD5 is more advanced and covers some further aspects. It includes a better definition of the virtual currencies, the changes and the information-sharing policies that are required to combat crimes related to prepaid cards and financial institutes.
From AMLD4 to AMLD5
Previously AMLD4 tackled the risks by making it mandatory for “obliged entities”- banks and financial institutions – to meet KYC and due diligence requirements. Also, the companies operating within the EU were obliged to maintain central registers of their ownerships. According to the European central bank, AMLD4 didn’t go far enough to curb the risks posed by criminal transactions and money laundering.
The main reason was the recent terrorist attacks throughout Europe. Moreover, the Panama papers scandal in 2016 followed Paradise Papers publications in 2017 made it a top agenda for the regulators to come up with a more efficient directive. These papers provided insight to the government into the ways politicians and wealthy-beings can exploit tight-lipped offshore tax regimes. These incidents created a huge fuss around the world questioning the credibility of country regulations.
Taking into account these issues, the updated framework of the 4th Anti-Money Laundering Directive – AMLD5 came into force in July 2018 which is to be implemented from January 2020. It doesn’t contain any new sets of rules, instead, they are just an extension of the previous ones. The fifth AML directive intends to bring boundless transparency in business activities and company ownership within the EU.
Multiple amendments posed by AMLD5 in the fourth directive. These extensions are to strengthen the policies to deter money laundering due to new technology advancements. AMLD5 not only proposes the public registry for beneficial owners of obliged entities, but it also addresses the significant risks associated with virtual and cryptocurrencies.
The Obliged Entities and Requirements
The fifth AML directive covers various entities that include:
Legal Professionals, Auditors, Tax Advisors, and external accountants
Trust, or company service providers
Person trading in goods (involving cash payments in amounts of €10,000 or more)
The most important requirement of AMLD5 is requiring the obliged entities to implement the beneficial ownership registry. It is essential for state members to collect and maintain accurate and current information about the legal entities – as described in AMLD4. In order to meet this requirement, the obliged entities that are operating in the EU must have Know your Customer (KYC) information, in addition to beneficial ownership information, readily available with all the planned procedures.
Enhanced Due Diligence:
Undoubtedly, the beneficial ownership registry is the primary level of customer due diligence. However, with the implementation of AMLD5, the obliged entities will have to adopt Enhanced Due Diligence (EDD) requirements. The EU-based banks are compelled to perform EDD every time they enter into transactions from high-risked third countries as defined by the European Commission. This requirement is to diminish the potential of doing business with criminal organizations.
The process of enhanced due diligence involves the collection of additional information about the customer, the screening and the completion of risk assessment. The risk rating strategies must involve the risk factors that may be responsible for updating the KYC policies and Procedures. For example, technology is the major risk factor and the manual KYC process is needed to be digital.
After the completion of the risk rating process, the entities must ensure the automatic delivering of data to national authorities and providing them access to information. Enforcement of AMLD5’s EDD requirement on EU-based entities doesn’t mean that their clients must also follow them. But if a bank in Europe adopts stringent EDD requirements, then the associated entities are required to ensure that they are complying with AMLD5 requirements along with their regional regulations.
The Significant Changes in the Regulation:
Though AMLD5 is an extension of AMLD4 regulations but there are some key changes that are highlighted in this directive, it includes:
1. Virtual Currencies
The virtual currencies like Bitcoin possess the transparency feature, i.e. the individuals involved with them tend to stay anonymous. It is both the weakness and strength of the organizations as well. The weakness because of the involvement of money launderers and cybercriminals. AMLD5 clearly states that virtual currency exchange platforms must have to apply Customer Due Diligence(CDD) just like traditional financial institutes.
It includes all the KYC and customer verification requirements. Moreover, customers have to get registered. All these requirements are to combat money laundering and criminal funding that takes place through these platforms.
2. Letterbox Companies
Under the new AMLD5 regulations, anyone will be able to access information about the real owners of “Letterbox” Companies that are operating in the EU. These companies are considered the hub of corruption, money laundering and transnational organized crime. This change in the directive can reveal the corruption and tax evasion that may be taking place in the companies.
Moreover, with the central beneficial owner registry will be available for individuals with a ‘legitimate interest’, for example, an investigative finding out the owners of trusts and companies.
3. Prepaid Cards
AMLD5 has called for a reduction in the threshold of anonymous prepaid cards – from €250 to €150. This new arrangement is to combat the criminal activities that might be taking place through these cards. While prepaid cards generally have legitimate uses, the anonymous cards are readily used in money laundering and terrorist funding.
The banks and other financial institutions are obliged to conduct CDD against the prepaid cardholder if the payments exceed a defined threshold. Moreover, as per AMLD5 regulations, the use of prepaid cards – that are issued outside EU territory – will be prohibited unless they follow AMLD5 regimes
Notable Challenges for Businesses in adopting new Standards
Until now, though the businesses used to comply with AML regulations but didn’t have to take that much notice of AML directives as they will have to do now. Previously, financial institutions and tax advisors were the major entities meeting AML compliance. However, with the introduction of AMLD5, now the virtual currency exchange platforms, prepaid cards, and custodian wallets will also have to obliged to new standards and regulations.
The obliged entities have to comply with Customer due diligence, monitoring the virtual currencies transactions and keeping a tight rein on customer activities that they might find suspicious. The major challenge for businesses is that from onboarding customers to ongoing documentation, they have to keep the data up-to-date and share customer information with anti-money laundering authorities.
Moreover, businesses will need to make sure that all the staff members have proper knowledge of the AML directives and follow the standards accordingly. It will cost businesses in training their employees. As the date of implementation of AMLD5 is approaching near, the time to incorporate all these new standards and rules is shortening – another challenge for the businesses.
The financial sector landscape is evolving with the advent of the FinTech industry. Many revolutionary services and products are introduced by this sector and Money Services Businesses (MSBs) are one good example of such businesses. These revolutionary innovations increased ease for the masses. But lack of KYC and AML regulatory compliance specific to this sector left loopholes for the criminals. Also, most of the money transfer businesses are showing a lack of concern towards AML compliance, which increased the fraud rate in this sector.
Sensing the urgency, some countries including Australia, Canada,etc. are taking steps to prevent financial crime in money services businesses. Before we explore the regulatory and preventive measures taken by these countries let’s dig deeper into MSBs as defined by the regulatory authorities.
If we look at the definitions provided by FinCEN, AUSTRAC, FATF, and
FINTRAC, broadly an MSB business includes any individual, business or organization that performs the following operations as a :
Currency dealer or exchange
Issuer or seller of traveler’s checks, money orders, etc
Remittance service provider
If a person or a business conducts these operations worth $1000 or more on a daily basis than it is liable for compliance with KYC and AML regulations.
The MSBs are regulated in several regimes but lack of implementation and scrutiny led to an increased exploitation of this sector. Regulations are developed for AML compliance in MSB but lack of implementation is the issue. Regulatory authorities like FATF, AUSTRAC, and FINTRAC adopted a risk-based approach in MSBs’ AML regulation.
Primary actions required for KYC and AML compliance by MSB are as follows:
Complete KYC of customers (identity verification)
AML screening of customers
Getting registered with the regulatory bodies
Why MSBs Need KYC/AML Compliance?
MSBs are some of the most common victim of money launderers. Often the MSBs do not perform KYC and AML screening on their customers, and this loophole in security is utilized by fraudsters. Money launderers and terrorist financiers cannot go to banks because they often run KYC/AML screening on people before serving them. That is why criminals use MSBs.
They transfer the funds without being traced. Later, if a transaction is labeled as illegal the criminal will be untraceable because they use fake identities. Ultimately the service provider MSB will be deemed liable for fine.
So, the MSBs need to practice in-depth KYC and AML screening on their customers before onboarding them. KYC and AML compliance helps MSBs in gaining credibility and customer trust. Research found that people feel more confident with online platforms that have some sort of visible security measures like real-time identity verification, 2-factor authentication, face verification, etc.
Regulatory Authorities Tightening Reins on MSBs
The need for improved compliance culture is identified by global regulatory institutions. Financial watchdogs are all set to eliminate money laundering from all the business sectors. This compliance culture could be achieved only if the businesses will also understand their responsibility towards eliminating financial crime from their spaces.
AUSTRAC Targeting Money Transfer Businesses for AML Scrutiny
AUSTRAC (Australian Transaction Report and Analysis Center) is targeting the money transfer businesses for thorough implementation of KYC and AML laws in that sector.
In August 2019, Austrac launched the campaign against illegal money transfer businesses. This campaign requires the money transfer businesses to register with AUSTRAC and to practice KYC/AML compliance. The objective of this campaign is to reduce the exploitation of these unregistered businesses by criminals.
Money transfer businesses that will not register with AUSTRAC will be liable for a fine of $420,000, seven years jail or both.
The money transfer businesses are required to submit their International Funds Transfer Instruction (IFTI) to AUSTRAC on time. Those who fail to do so are fined for non-compliance.
In September 2019, the regulatory authority fined $252,000 to Compas global holdings Pty Ltd. the company was unable to report the international fund transfer between 2018-2019.
Not only that AUSTAC also ordered PayPal Australia to hire an external auditor at their cost to report on the fund transfer of the company to and from Australia. This order was generated after the self-reporting of PayPal on the findings of its internal report.
AUSTRAC is aiming at eliminating the crimes associated with money laundering through strict scrutiny of the businesses involved in high-risk fund transfers. “Money laundering enables criminal activity that causes real harm to Australians, such as human trafficking, child exploitation, illegal firearm sales, and drug trafficking.” AUSTRAC Chief Executive Nicole Rose said in a statement.
Canada Increasing Pressure on MSBs (Money Services Businesses)
Canada also increased pressure on MSBs and introduced some rigid KYC and AML laws for this sector. The government of Canada amended the regulations of Proceeds of Crime Money Laundering and Terrorist Financing Act (PCMLTFA). FINTRAC (Financial Transactions and Report Analysis Center) will be responsible for the implementation of these laws.
The new laws for MSBs have the following key points:
The MSBs (local or international) should be registered with FINTRAC and it will have the right to charge penalties in case of non-compliance.
The financial institutions are not allowed to conduct business with unregistered MSBs.
The MSBs are entered into the reporting entities list of FINTRAC.
The AML screening, recording and reporting regulations that were previously imposed on fiat businesses are now imposed on the MSBs as well. It means that the MSBs operating in Canada will have to conduct in-depth KYC and AML screening of their customers before onboarding them. Also, they will have to maintain a record of the compliance process and should report any suspicious transactions above the predetermined threshold.
How Online KYC/AML Screening Will Help?
Online KYC and AML screening can be the companion of a hard time for the MSBs. The customers of these businesses are from every corner of the world so manual verification is not possible. Developing in-house verification software requires exhaustive resources and bears huge costs, so it is not a feasible solution.
Online KYC and AML screening solution is a cost-effective and easy solution that delivers results with high precision within a minute. It is high time the Money Services Businesses should invest in KYC and AML compliance because the regulatory authorities have identified the risk lurking in this business sector and are all set to give a hard time to non-compliant businesses.
As part of the Action Plan against terrorism, the 5th Anti-Money Laundering Directive (5AMLD) proposed by the European Commission aims to address risks associated with virtual currencies and wallet providers. The proposal augments the 4th Directive in its efforts to enact EU rules designed to combat Anti Money Laundering (AML) and financing of terrorist activities (CFT).
The indication is of thorough regulatory change as digital currency exchange platforms and e-wallet providers are now required to comply with AML and CFT requirements. Collecting and monitoring customer data will be part of their compliance operations.
Under the new law, the general public will have access to beneficial ownership information of EU companies, and due diligence measures for financial flows from high-risk countries will be beefed up.
Cryptocurrency – Safe or Not?
Virtual currencies such as bitcoin provide efficient ways of data sharing and user interaction for a wide customer base. However, the inherent way in which cryptocurrencies are able to hide user identity opens up opportunities for suspicious transactions online.
This implies that authorities cannot trace the identity behind any kind of transaction, and financial transfers can therefore be concealed easily. The risk of such services being used by terrorist organisations looms large on the horizon, leading to strict scrutiny measures for the crypto realm in 5AMLD. Virtual currency remittance systems are also at the risk of being used for terrorist and illegal activity financing.
As safety of digital transactions dwindles, KYC for identity verification becomes an increasingly important part of the security equation. In contrast, at the very heart of cryptocurrency is the counter-intuitive idea of decentralisation that allows a user to create a disconnect between his identity and e-money. The key here is finding the middle ground between privacy and legality.
Currently, only a third of all businesses across Europe and the US perform background checks on their users. And this is about to change after the implementation of 5AMLD.
Before this commission, no other EU Laws were directed at monitoring digital currencies or e-wallets. Previously absent in 4AMLD, the new directive includes a definition of virtual currencies:
‘a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically’.
This covers a wide range of virtual money – coins, tokens, custodial wallets – to ensure that no form of electronic value escapes monitoring. Although the definition is all-encompassing, it is useful to note that it merely views cryptocurrency as a means of exchange online and not as assets, securities or commodities.
There is no clarification for ‘virtual currency exchanges’, but individual entities are identified as providing services between virtual and fiat currencies. Again, the scope of such transactions under AML/CFT compliance is unclear, and the commission almost overlooks crypto-to-crypto exchanges. For Initial Coin Offering (ICO) organisers, brokers and other platforms, this underscores the need for detailed checks under 5AMLD Compliance.
In this respect, the UK has warned against the use of crypto assets in illegal activities, and hinted at using a broader regulatory framework.
Next in importance to cryptocurrencies are e-wallets. A custodian wallet is explained by the law as:
“An entity that provides services to safeguard private cryptographic keys on behalf of their customers, to hold, store and transfer virtual currencies”.
Following this interpretation, a service provider shall not be liable under CFT/AML laws unless it holds the user’s private key. Obliged entities include centralised cryptocurrency exchanges such as Mist, Ledger Nano S and Trezor.
Under 5AMLD, previously unlicensed exchange services and e-wallet providers now need to be authorised through a registration process. This means that common AML practices such as customer due diligence, transaction monitoring, and fraud detection will need to become part of company compliance processes. Countries are obliged to create central databases, with complete lists of virtual currency users and their self-declaration forms.
As ironic as it may seem, cryptocurrency providers will collect, store and monitor information of customers, as well as any beneficiary owners that may be involved. For the purpose of AML/CFT screening, this puts an end to any anonymity in the currency space, and enables concerned national authorities to collect such data and verify it against relevant account holders.
The law also lowers the threshold for identifying users of e-money, to further empower Financial Intelligence Units (FIUs) by facilitating information exchange. In addition, when performing a KYC before a business relationship, the corresponding beneficial register in the EU must be accessed.
Onwards and Safer
After the 5th AML Directive of the EU is rolled out, crypto exchanges, e-wallets and trading platforms will require efficient identity verification processes and AML monitoring tools for enhanced customer experience.
For smooth sailing amid regulatory change, digital currency providers are better off adopting reliable KYC/AML/Customer Due Diligence and financial crime control strategies well in time. Cybercrime and terrorism need to be rooted out at source, and compliance officers must carefully identify their exposure to the risk of criminal activity. Keeping in view the products and services being offered, cryptocurrencies must conduct a risk assessment and take pre-emptive action against high-risk transactions and users.
Regulating cryptocurrency space will not be as easy as controlling its non-digital counterpart. Regulators, financial institutions and crypto providers equally face technical challenges in ensuring compliance of AML laws. Sharing relevant, open and transparent information, as well as establishing partnerships at each level, will, therefore, be central to the process of regulation and innovation.
The FinTech industry has grown tremendously in recent years, introducing both scale and efficiency in new banking technologies. According to Statista, at an annual growth rate of 18%, global transaction value in FinTech is expected to grow to $8 trillion by 2022.
Traditional financial service providers (banks, insurance, transactions and payment services, mobile wallet payments) have no option but to catch up with changing tides, in order to survive the technology revolution. From cutting costs to providing seamless transaction experiences, FinTech has changed the way people manage money.
The world has witnessed more transparency in banking, and, financial transactions are thriving with the use of disruptive technologies such as AI, machine learning, and blockchain. Fueled by the advent of the internet, FinTech has now grown to taller heights with mobile payments and online banking.
Reaching the Unbanked
One of the marked success of this digital wave is how it has led to increased access for previously unbanked populations, largely due to mass outreach of mobiles and the internet. Now, mobile phones are making it possible for more and more people to enter the global financial system, albeit with limited access to services such as mobile payments and transfers.
The mobile money market is witnessing a revolutionary transformation fueled largely by:
Growing focus on customer experience
Diversified financial services structure
Evolving regulatory landscape
Expanding mobile money services
Mobile money accounts, as well as text and app-based financial accounts, are providing financial coverage to growing global populations. A small but rising percentage is also taking advantage of smartphone technology around the world. However, this is subject to availability of adequate underlying infrastructure such as power supply. The challenge is greater in developing countries where only 40% of adults have access to both the internet and mobile phones, as opposed to 82% in high-income economies.
How RegTech is Relevant to FinTech
A large customer base is currently left unserved in the financial services industry due to lack of the right infrastructure. As the FinTech revolution continues to benefit the economy and break into new markets, it promises to close gaps in financial inclusion. However, this comes with high risks of exploitation that need to be managed.
Currently, 1.7 billion people in the world are unbanked, down from 2 billion in 2014. This is one of the most challenging pain points for financial service providers. FinTech is changing this, and RegTech can accelerate the process.
RegTech startups are experiencing growth and investment at almost the same rate as the FinTech industry. Firms are realising the need to capitalize on compliance efficiency and use it for competitive edge in the industry. There is great potential for powering the future of financial regulation by integrating technologies into supervisory systems used by banks.
RegTech has major implications for financial institutions in the form of reduced regulatory costs and improved operational efficiency. With far-reaching benefits for the economy, RegTech is also aspiring to drive growth and profitability by better regulatory reporting and risk management, as well as transaction monitoring.
This is especially relevant for emerging markets, where a notable percentage of the population can experience compounded benefits from access to services like micro credit and remittances. The effective use of RegTech strikes a balance between access to credit and credit security.
With machine learning, artificial intelligence and e-KYC(Know-Your-Customer) verification methods, the gains are far-reaching. Fraud mitigation and reduced compliance costs make it possible for FinTech to include more financially excluded population segments. Automated KYC processes through RegTech ensure that foolproof methods for legal use of financial services can be made effective. Using API code, RegTech can also simplify complex regulations that optimise compliance costs of time and labour.
Both financial institutions and regulatory authorities see added value in adoption of regulation technology for better compliance and service delivery. APIs for data collection and reporting have also shown a marked improvement in customer engagement, as well as compliance.
Driven largely by business demand and technology innovation, there are five main service offerings by RegTech :
Identity management and control
Challenges in Financial Service Delivery
As financial services become more digitized and pervasive, regulatory systems need to adopt more forward-thinking ways of digital transformation.
The foremost challenge in providing digital financial services to previously unserved populations is risk management. In most cases, financial authorities are still learning their way into the digital revolution. If vast amounts of data are collected without apt use of APIs, serious data security concerns could arise. This could undermine the regtech revolution and make the onboarding process more complex for new entrants.
Supporting infrastructure in the form of digital databases is also absent in most cases. While there is a steep demand for mobile money accounts, some key services such as government payments (pensions, wages, social benefits) are still paid in cash. This reinforces financial exclusion for large segments of the population who could otherwise benefit from services such as mobile payments.
Additionally, stringent identity verification requirements, such as those in KYC, get in the way of digital relevancy. National identity document verifications are sometimes not enough to ensure that people from remote areas can open an account and other local documents are required for account opening. This opens up a range of opportunities for the RegTech industry to influence financial service delivery, and in turn financial inclusion.
RegTech Solutions: Closing Delivery Gaps
Across the globe, traditional financial systems are increasingly embracing technological advancements and committing to streamlining regulatory networks. Regulatory sandboxes and ‘reglabs’ are now being facilitated for innovation, to cater largely to the spike in regulatory compliance in both developed and developing countries.
Sandboxes are controlled spaces for tech firms to test out new technologies under the regulator’s supervision. In addition to offering room for innovation, RegTech sandboxes can also be used as effective feedback and communication channels between FinTechs, regulators and RegTech providers. For financial inclusion, this means balancing innovation and risk to reach underserved customers.
Improving access to mobile money markets also depends a great deal on efficient implementation of KYC regulations. In areas where access to financial services is a challenge, fulfilling tedious document verification requirements can be a cumbersome task. This stands in the way of scaling mobile money networks, hence hurting financial inclusion.
This is where RegTech plays a central role. By simplifying customer onboarding processes, through efficient use of AI and HI, the mobile money industry can get a real push. The use of innovative e-KYC technologies such as biometric authentication and digital ID systems can make the process more efficient.
With tangible results in the form of financial stability and customer engagement, investment in better regulation technology is being recognised as key to an efficient financial system. A sound regulatory environment, with regtech applications that support risk management, will ensure that economies reap maximum value from the FinTech revolution.
Living in the era of technology, the world is rapidly moving towards digitization. From banking institutions to shopping stores, every organization is shifting its operations online. Going digital is no doubt providing a competitive edge to organizations to meet customer demands. On the other hand, the online presence has raised serious concerns for both individuals and businesses by exposing digital information to cybercriminals. As a result, there has been a significant increase in digital fraud, specifically account takeover (ATO) fraud.
What is account takeover fraud?
Account takeover (ATO) fraud is the type of identity fraud that involves unauthorized criminal access to a user’s account to use it for some type of personal and financial gain. The increased presence of people on the internet and involvement in activities like online shopping and banking and convenient funds transfer has opened new opportunities for criminals looking to make extra cash.
ATO fraud can involve the exploitation of multiple types of online accounts, including online banking, eCommerce, mobile, and social media accounts. Generally, cybercriminals and fraudsters lookout for the accounts from which they can steal money and gain monetary advantages. For instance, targeting bank accounts for fund transfer to own account or eCommerce accounts to make fraudulent purchases. Also, the imposters can take over social media accounts and request money from the family and friends of the victims.
Ecommerce platforms are the most profitable for criminals due to frictionless payment systems. In e-commerce sites, due to instant purchase functionality, all the billing information is stored in the user account that makes it convenient for the customers to make purchases. But it also makes it handy for criminals to simply change the shipping address and start making a purchase, once they discover the login credentials.
Impact of ATO Frauds
Account takeover fraud rates have been on the rise for the last few years. Every year the individuals and businesses incur huge losses due to ATO frauds. Mostly customers are the ones who endure monetary losses. In addition, in most cases, they not only lose time in resolving fraud but also suffer a damaged reputation and relationships, for example, in the case of social media account take over. Businesses, however, suffer losses in the form of chargebacks and bruised reputation.
Last year in May, KREM2 reported a case ATO fraud in which the victim, “Allie Raye” wasn’t aware of the fraud until she started receiving shipping notices and orders from Amazon. Even after discovering it, it was very difficult for her to stop the fraudulent orders – that included several gift cards. It took her around three weeks to regain hold of her account and all this while she lost $1,640 in fraudulent purchases. In that case, the Amazon had to suffer the actual loss by ultimately refunding Raye the whole amount.
Factors fueling ATO frauds
Account takeover fraud is a serious concern not only for the individuals but businesses as well. The technological innovations have made the fraudsters more sophisticated in accessing users’ information. There are multiple factors that are fueling ATO frauds, some of them are:
One of the main driving factors behind account takeover frauds is the increasing trend of data breaches. The purpose of a data breach is to access the records of the customers containing their information – for example, usernames, passwords, account numbers, and card numbers, etc. The list obtained from the breach is sold in the black market where the numbers of cybercriminals are readily looking for users’ data.
When the username and password of an account are known, hackers try the same combination on multiple online platforms through various automated tools – known as credential stuffing. According to Perimeterx Research, there is an 8% success chance of these attacks. Moreover, if criminals have access to the username and email address they can use multiple attacks, for instance, brute force, to guess the passwords.
Weak Password Practice and Inefficient Authentication
More online presence of individuals means more accounts. It means users have to remember all the usernames and passwords for different accounts. The difficulty memorizing them encourages the users to set the same passwords for multiple accounts. This is a very common yet highly risky practice. It is found that 21% of people use passwords that are 10 years old and at least 71% reuse their passwords. This weak password practice exposes users to cybercriminals. Through brute force attacks and credential stuffing, they can easily take hold of users’ credentials and accounts.
Most of the organizations still rely on the binary authentication method i.e. using username and password. Anyone having access to those credentials can easily log in to the account and do whatever they want. This is one of the main reasons for account takeover.
Social Engineering Tactics
The advent of technology has significantly provided fraudsters and imposters with advanced social engineering tactics; phishing is one of them. Through phishing attacks, cybercriminals are accessing user credentials by tricking the users. There are multiple ways through which these attacks can occur – including through email, text message or even over the phone. However, the purpose is the same, i.e, trying to get the users to hand over their information.
An example of such an attack is receiving an email that persuades you to click the link and prompt the login page to enter your credentials which are stolen by criminals.
Threat by Device
Another factor that is driving the ATO fraud threat is through smart devices – mobiles and mobile applications are prime targets of cybercriminals for ATO fraud. One of the major reasons for this is the technology lag. Regardless of advanced tools designed to protect users on web browsers, those tools don’t work for mobile apps at the same time. According to Rippleshot’s State of Card Fraud 2018 report, mobile phones are becoming increasingly vulnerable targets of ATO frauds and would rise in the future as well.
No doubt ATO fraud is the major concern for the businesses especially for e-commerce, however, they can be prevented using proper user verification at the time of onboarding. Sometimes after committing the ATO fraud, the fraudsters use that information of the user to create another account. Through digital identity verification services, businesses can ensure the identity of real users and hinder the fraudster from creating fake accounts – i.e. committing identity theft.
The main factor that fuels ATO frauds, is the lack of proper authentication checks. In this world of no trust, stealing someone’s credentials is no more a difficult task. By applying the social engineering phenomenon, the fraudsters can trick users to provide their information. If online businesses follow proper and advanced authentication services like 2-Factor Authentication and Biometric verification through Face verification, then the account takeover frauds can be prevented.
The users who fail to verify and authenticate their identity can be hindered from accessing the account in real-time.
ATO frauds are done to gain monetary benefits mostly. The frictionless mobile and online payments are no doubt enhancing the user experience, but at the same time, it is grabbing the attention of cybercriminals. Whenever the imposters take over the account, let’s say bank account, the first thing they do is transfer money to their account.
Due to a lack of payment monitoring or authentication before processing transactions, the cybercriminals are successful in making fraudulent payments. Monitoring the payment every single time when a user request a transaction can combat fraudsters in real-time.
Face Verification – A Strong Weapon against ATO frauds
Face verification is the advanced form of biometric verification powered by artificial intelligence and machine learning algorithms. The traditional verification and authentication check have failed to prevent the fraudsters from accessing the users’ data and personally identifiable information (PII). Integrating face verification API with the existing platforms can identify the fraudsters beforehand who may try to enter the system through spoofing measures.
Fraud prevention and cybersecurity are the major concerns of the companies in the digital era. Norton predicted that cybercriminals will steal an estimated 33 billion records in 2023. And misuse of such information is a common practice. Fraud comes unannounced so the businesses need to adopt a proactive approach towards such events. Fraud prevention is a continuous process. For example, if you perform KYC and AML screening before onboarding your customers and do not practice it at the time of every transaction you are leaving a loophole for a Business Email Compromise (BEC) fraud.
BEC fraud, also called CEO fraud is very common because most of the communication is online. The criminals do a lot of research before targeting an entity for BEC fraud. In this fraud, the criminals will send an email or make a call for urgent fund transfer to a company impersonating as one of their customers or merchants
BEC fraud is executed in a very friendly way. The criminals either manipulate the person with a friendly chat or by showing urgency in fulfillment of their fund transfer request.
For example, 50 years old Evaldas Rimasauskas tricked Google and Facebook to wire more than $100 million to his bank accounts.
The man researched a merchant of Facebook and Google namely, “Quanta Computer” and registered a firm with a similar name. Then he sent fake invoices and contracts to make the fraud appear more natural.
He tricked the employees of both companies into wiring money to his bank accounts in Latvia and Cyprus. Then he transferred the funds to his bank accounts in Hong Kong, Hungary, Cyprus, Slovakia, Latvia, and Lithuania to hide the money trail.
How is a BEC Fraud Executed?
A BEC fraud starts with a lot of research about entities (businesses that could be the soft targets for the fraud. The criminals collect information related to the merchants or customers of the company that has their payments pending. Once they have the information the criminals will make an email ID quite similar to that of your client’s email ID and contacts one of your employees. At times the criminals use the legitimate email ID of your customers because one of your customers might have been careless about securing their email credentials.
This fraud could also be executed the other way round. The criminals might use your email credentials to contact your merchants and clients for fund transfer of pending payments. Your clients will make the payments and you will have to bear a financial loss if your legit email credentials are used for the execution of the fraud.
The contact is mostly conducted through a casual email like asking about your last vacation or your health. Once they break the ice, they will send a friendly email regarding the change of their account details or for an urgent fund transfer.
Not suspecting anything suspicious the employees often fulfill the request, quickly due to the urgency created by the criminal.
Often the criminals send fake invoices as well with the official header or logo of one of your clients. Or they make calls impersonating as the CEO of your client company to make things look more natural.
Also, in most of the email compromise frauds, the criminals ask for a wire transfer and leverage over the confidence that companies have in security protocols practiced in wire transfer fraud.
Industries That Are Common Victims of BEC Fraud
Banks are the most common targets of BEC fraud as they are the financial intermediaries and serve a diverse clientele. Banks around the globe are struggling to retain their customers after the advent of fintech and are always in contact with their clients. Receiving wire transfer requests from customers is common for banks. When they receive any such email for urgent transfer from a credible client the employee often tries to fulfill the request at the earliest to retain happy customers.
Real estate is also a common victim. The criminals collect information regarding some ongoing real estate deals and contact the buyer as the legal representative of the seller and request a fast payment or clearance of dues.
As the deal is in the closing phase the buyer does not suspect anything suspicious and makes the transaction.
In this case, the criminals target the companies in a B2B relationship. The email ID of the CEO or legal representative of one of the companies is exploited in such cases. The criminals collect complete information regarding the previous email communication among the two companies and use it to send an email with a natural casual tone.
How to Prevent BEC Fraud?
BEC fraud has caused huge losses to many businesses of all sizes and types, even the non-profit organizations have been the victims of this fraud. FBI’s Internet Crime Report (ICR) found that BEC fraud losses rose by 90.3% in 2018 and fraud complaints rose by 14.3%.
Businesses of all types and sizes need to pay heed towards the prevention of BEC fraud. It not only cause financial loss but also affects the credibility of a company. Below are a few suggestions for preventing BEC fraud.
Identity verification of every request of wire transfer
Most of the businesses use online communication, but do not understand the significant risk lurking in the cyberspaces. Businesses need to develop and practice in-house fraud prevention measures to counter any BEC fraud attempt.
Businesses should use verification methods to screen every such request. Ask the email sender to go through a real-time identity verification process every time a customer makes such a request. The verification could be performed through face recognition or 2-factor authentication.
Online identity verification is a feasible solution as it shows quick results and does not cause any inconvenience for the end-user. Also, the visible security measures will show your commitment to the security of your merchants or customers.
Train your employees
Employees of companies are the common victims of BEC frauds. The criminals choose a soft target that is easy to manipulate for wire transfer fraud or a phishing scam.
So, the employees must be trained on a regular basis, regarding the latest trends in cybersecurity and the types of cybercrimes. This will help them to identify suspicious emails and fake fund transfer requests.
The training could be based on the following pointers:
Do not open any emails that are way too attractive, it might be a phishing email.
Beware of urgent payment requests from your merchants.
Tackling the account credential change request from your customers/merchants
Very casual and friendly email from your merchants
Train them about the technical aspects of fraud prevention software used in your company
Report the concerned authorities
As soon as you find a BEC fraud, report it to the concerned authorities. It will protect the company from such attacks in the future. Also, it is the corporate and legal responsibility of the businesses to report such fraud attempts for the benefit of the masses.
Using email security filters help in analyzing and detecting any threats in the email messages. Also using the filters for detecting the newly registered domain names similar to your domain name helps in finding the potential risk before it could cause any harm.
Such filters help in identifying and stopping spoofing emails from reaching the mailbox of the employees.
To wrap up, BEC fraud is a planned crime and businesses need to be proactive to eliminate such frauds. Caution in sharing contact information and basic identity verification of the person making such fund transfer requests is necessary to eliminate the chances of becoming a victim of BEC fraud. In-depth verification of clients and merchants before making transactions helps in eliminating the risk at the very first stage. These minimal and easy steps might prevent a huge loss for your company.
Money laundering is becoming a global phenomenon. As per the United Nations Office on Drug and crime, money laundering of an amount equal to 2% to 5% of global GDP is laundered annually. Huge scandals, like Swedbank and Danske Bank’s money laundering cases, surfaced in the last few years and made the regulatory authorities to become more stringent in their AML regulations. The regulatory authorities in Denmark are also planning to exercise more stringent control over the banks, as they are commonly targeted for such crimes.
The Denmark authorities and government are all set to give a hard time to the banks regarding AML compliance. Financial Supervisory Authority (FSA) is the regulatory authority in Denmark that has joined forces with the government to eliminate money laundering prevailing in its financial system. The aim is to achieve a fraud-free financial ecosystem through the regulation of banks and other financial institutions.
Danske Bank’s Money Laundering Case
Danske Bank was once considered one of the most trusted financial institutions of Denmark. It fell from grace when the biggest money-laundering scandal rose to the surface with Danske bank pointed as the culprit.
The bank was involved in one of the huge scandals of money laundering, where€200bn was channeled through the Estonian branch of the bank. The banks were also charged with the lawsuits of manipulating their investors in several other countries.
The in-depth investigation of the bank’s history reveals that the Estonia Branch was used for illegal activities for a long time. It started with the opening of the Estonia branch of the Danske bank in 2007. Months after its launch the branch faced criticism from the Estonian watchdog regarding the weak KYC practices. Also, the Russian Central bank warned the branch that it was being used for money laundering.
The Estonia branch became even more open for money launderers when the AML protocols of this branch differed from that of the Head of Danske Bank in Copenhagen due to some technical changes.
Thomas Borgen became the chief executive and increased business for non-resident investors from Russia and other ex-Soviet states. During the period of 2007 to 2011, most of the profits of the branch came from those non-resident investors. Later it was revealed that most of the transactions and investments made by those non-resident investors were for money laundering.
In 2012, the Danish regulatory authority became suspicious and demanded an explanation regarding the complaints from the Estonian regulatory authority. And in 2013, an American bank JP Morgan canceled its banking association with the Estonia branch of Danske bank.
In 2013 a whistleblower contacted the regulatory authority in Denmark regarding the huge amount of non-resident funds through the Estonia branch of the bank. Based on those revelations internal auditors revealed that a huge amount of money actually flowed through that branch, including the money from a high-profile Russian Family whose assets were managed by a UK firm.
Dring 2015-16 the branch closed all its non-resident operations. Later in 2017, U.S, Azerbaijan, Moldova, Russia, etc claimed money laundering through that branch, which affected the investors. Following those claims, the Danish regulatory authority apprehended the bank but did not take any action. In 2018, the Chief Executive of the bank, Mr. Thomas Borgen was removed from the office.
Due to continued reports and global shame of Danske Bank, Denmark’s regulatory authority took action and demanded the closure of the Estonia branch of the bank.
Also, the Denmark government decided to take some rigid steps for the thorough implementation of AML regulations. To do that the regulatory authorities did research and it was found that the financial regulatory authority of Denmark FSA needed some major changes regarding its authority and laws.
Major Changes in AML Regulatory Landscape of Denmark
One of the major changes made in the AML regulatory landscape is focused on banks and the authority exercised by the Financial Supervisory Authority (FSA) of Denmark on banks. The government aims at regaining its image of the least corrupt country by extending the authority of FSA. The Danish business minister, Rasmus Jarlov said, “we need a more strong and more aggressive financial regulator.”
The government of Denmark is also tightening the reins on the financial regulatory Authority of Denmark. The close relations of the regulatory authority with Danske and other banks are criticized as well. Also, the defensive stance of FSA towards the culprit bank at the beginning of 2019, also raised concerns and criticism. The regulatory authority is advised to become more strict towards the banks and their regulatory compliance.
The major concerns of the government are to make the regulatory authority more efficient towards the implementation of AML laws. Below are some initial steps taken by the Danish government to achieve strict regulatory compliance in banks and developing a stronger regulatory authority.
The Authority of FSA to charge penalties from banks
The regulatory authority of Denmark namely FSA will be given more authority for the rigid implementation of AMLregulations. The authority will be given more control over the financial institutions, especially banks. FSA will have the right to charge non-compliance penalties from the banks. Previously it was not in the authority of FSA.
The increase in the financial budget of FSA
The financial budget of FSA was increased by the majority vote of the Danish Parliament. The regulatory authority will receive a $7.25 million increase in its annual budget to increase its activities of anti-money laundering.
Increase in Anti Money Laundering staff
The Danish government and regulatory authorities are all set to give a hard time to non-compliant banks. The Danish regulatory authority will increase its AML compliance staff. It will increase the scrutiny of Danish banks.
Also, FSA will conduct a comprehensive money laundering inspection of major Danish banks.
High-time for Danish banks to go AML complaint
FSA will be exercising a more rigid approach towards efficient completion of its duties. The regulatory authority is given more authority, money, and staff to ensure thorough AML compliance by the banks.
It is high time the banks should start using global KYC and AML compliance solutions for thorough risk prevention. Online AML screening helps in swift and cost-effective compliance. Better invest in compliance and enjoy risk-free business with good credit rating than pay huge penalties.
The modern world is an era of technology. Moving into the fourth industrial revolution, digitization of organizations is gaining grounds in the marketplace. The industries are rapidly adopting the latest technology to secure their place in the competitive market. The identity thieves and fraudsters have set their new targets, i.e. online business. Using advanced technological tactics and sophisticated tools, they are actively exploiting the business and consumers.
The primary purpose of all the thieves and fraudsters is to gain a monetary advantage, no matter what type of fraud it is. Living in the 21st century, traditional payments are moving towards the elimination of cash. The trend of online transactions and mobile payments is on the rise and fraudsters, are not going to miss the opportunity to compromise the transactions. Over the past few years, card fraud has become one of the fastest-growing and challenging frauds for businesses and organizations.
The organizations accepting card payments are constantly under threat of fraudsters and cybercriminals. This means they are exposed to chargeback losses, customer churns, brand damage and other financial impacts of the digital frauds. Moreover, the strict KYC and AML regulations on businesses dealing with money demand an effective verification solution that can fulfill the regulatory requirements.
Taking into account the increased card frauds, the businesses don’t have to tackle fraud to protect themselves but it is their responsibility to protect the respective card networks as well. This is the reason why the service providers have their own monitoring policies and programs imposed on the merchants and businesses. It helps the merchants to drive improvement in their fraud prevention strategies and tools.
Mastercard’s new fraud monitoring program is set to be implemented from October 2019 to all the merchants in the US. With the execution of this program, the businesses will need to invest in the verification and authentication services to curb chargebacks and prevent themselves from hefty fines.
Mastercard’s Excessive Chargeback Program:
Considering the rising trend of chargebacks, MasterCard has launched an Excessive chargeback program to carefully scrutinize each merchant’s chargeback activities. In this program, with the predetermined chargeback thresholds, the acquirers can effectively evaluate and predict chargeback risk associated with a merchant. Monitoring these chargebacks rates, the acquirers can take action when a merchant exceeds or is expected to exceed the predefined acceptable threshold.
Mastercard chargeback thresholds are determined on the basis of the chargeback-to-transaction This ratio is calculated by dividing the current month’s first chargebacks amount by the total number of transactions in the previous month.
Recently landed in October 2019, MasterCard’s new Excessive Fraud Merchant (EFM) compliance program is applicable to all the merchants in US businesses. This program is applicable to every merchant who meets or exceeds the pre-defined thresholds for following short-list of criteria:
The minimum number of e-commerce Mastercard Payments must be 1,000
The net fraud volume per month is greater than $50,000
A fraud-count-to-transaction ratio (FCTR) that is greater than 0.50%
Total 3D Secure (3DS) Mastercard transactions that amount to less than 10% of total Mastercard payment volume
In addition to the chargeback threshold, in the EFM program, MasterCard predefines the fraud threshold. The failure of merchants to meet this predetermined threshold level can result in fines and deactivation of the card service as well. The net fraud volume is calculated according to the following chargeback codes:
4871: Chip/PIN Liability Shift
4870: Chip Liability Shift
4863: Cardholder does not Recognize – Potential Fraud
4840: Fraudulent Processing of Transactions
4837: No Cardholder Authorization
The fines will begin to imposed from March 2020. These fines will be applicable to any merchant remaining the EMF programs for two or more executive months, eventually varying the fine charges. For instance, after being in the program for two months, the fine will start at $500 rising to $1000 for three months, $5000 for 4-6 months and $25,000 for 7-11 months.
What does it mean for Merchants?
Disputes and fraudulent payments are unfortunate aspects of online payments. The best way to manage them is to prevent them from happening by integrating an effective fraud prevention strategy. With the new Mastercard’s fraud prevention programs, the merchants need to invest in payment verification and authentication solutions in order to avoid remaining in the EFM program.
The fraudsters and scammers are using advanced tactics and automated tools to stay anonymous and spoof authentication checks and filters to carryout fraudulent payments using stolen identities and customers’ credentials. Merchants must need to respond in kind to prevent them from exploiting the business. It can be done by adopting an AI-powered identification solution. Shufti Pro’s verification solution uses multiple verification and authentication services that are best suited for online businesses.
Preventing Fraudulent Payments
A payment is considered fraudulent in a case when the cardholder or accountholder doesn’t authorize it. The fraudulent payments are often made using stolen cards and card numbers – card not present frauds. Sometimes, through account takeover, fraudulent purchases are also made. By the time the cardholders review their card statement or get notified about the payments, the transactions have already been made. As a result, they contact their card issuers and claim a chargeback and ask them to dispute it.
Collect information – Verify Payments
Insufficient and vague information provided by the customers at the time of checkout is one of the major reasons why businesses fail to identify if the customer is legitimate or not. Just because someone successfully logged in to the account doesn’t guarantee that the transaction is done by an authorized entity. The businesses need to integrate authentication checks at the time of checkout to verify the identity of the authorized customers.
For instance, integrating Shufti Pro’s Consent verification in the e-commerce platforms requires a video consent from customers holding the identity card or credit card. With the hybrid approach of AI and HI technology, the authorized users are verified at the time of checkout. If the authentication is failed, the payment won’t be approved. The identity verification services provided by Shufti Pro combat intruders while keeping any customer burden and losses to a minimum.
According to Steve Grobman, Chief Technology Officer for McAfee, “The digital world has transformed almost every aspect of our lives but bought risks and crimes too. Crime is more efficient, less risky, more profitable and has never been easier to execute. Financial institutions of all stripes- banks, credit unions, brokerages, and payment companies need to take a layered approach to cybersecurity and fraud prevention.”
Moreover, the New Global Cybersecurity Report Reveals Cybercrime Takes Almost $600 Billion Toll on Global Economy. Financial institutions are required to abide by AML and KYC regulations. They are required to perform KYC and AML compliance. Financial institutions need to practice in-depth KYC and AML compliance to prevent themselves from falling prey to cyber scams like a data breach, money laundering, ransomware, etc.
An Insight to Brokerage Firms
Want to trade stocks? You’re going to need an online broker. Brokerage firms are financial institutions that help you buy and sell securities. They act as the middle man between the buyer and the seller. Depending on the brokerage firm type you choose, you can either make your investments via telephone, internet, or smartphone. Brokerage firms generally charge per buy or sell order. Online brokerage houses may not have any physical office at all. They operate via the internet only so they are more prone to falling for cyberattacks. Isn’t it?
Online Identity verification can serve the best in this regard.
ID Verification- Requirement for Brokerage Firms
To comply with the US. government law, Brokers collects personal information from their customers. It may include tax identification and financial information. Rules imposed by a Self-Regulatory Organization (SROs) brokers request information from new customers as well as customers having a long-standing relationship with the firm. Also to fulfill the KYC and AML requirement they need to know who they are dealing with plus if they are exchanging the money between the right two parties.
Following are a few reasons why ID verification is crucial for brokerage firms:
To Fulfill Suitability Law
According to FINRA suitability and SRO rule when a broker recommends that a customer buy or sell particular security he must have a reasonable basis for believing that its suitable for the customer.
To Fulfill Record-keeping Requirement
SEC rule requires the brokerage firms to create a record for each account with an individual customer. It should cover name, address, DOB, government-issued ID information. To be sure about all the record brokerage firms need to verify all this information first. ID verification plays its part here. Brokerage firms need an online address verification tool to confirm that the person is not lying about his residence. Online ID verification is important for brokerage firms not only to combat fraudsters but also to fulfils the record-keeping requirement by SEC (Securities and Exchange Commission). Brokers must make a good faith effort to obtain and verify the information of their clients.
To Combat Terrorist Financing:
Money laundering is committed to hiding the money trail or black money. Financial institutes are often deployed by criminals to launder black money in other countries for various purposes including terrorist financing. The brokerage firms can be a victim of this too. So to adhere to Counter Financing of Terrorism (CFT) brokerage firms need to know who they are dealing with and where the exchange is taking place.
To Counter Fake Identities and Frauds:
According to a study, 3 million identities were stolen in 2018 and 1.4 million of those stolen identities were fraud-related. Criminals use fake identities to open accounts at financial institutions to conduct their illegal activities. The most common victims of identity thieves are the financial institutions because they serve well the money motive of criminals. Online KYC and AML solutions help the financial institutions in preventing the risk that comes from a diverse clientele. Identity thieves and money launderers can be identified at the very first stage and help the businesses in serving only legitimate businesses.
Wrapping it up, the brokerage firms (online or physical) are common victims of criminals. The product of brokerage firms is exploited for hiding the black money or to transfer funds to the terrorists anonymously. Hence, the reason why brokerage firms are advised to run in-depth KYC and AML screening on their investors. It helps them onboard a secure clientele and getting a good credit rating due to regulatory compliance.
Several businesses are unaware of the significance that age verification holds for their business. UK gambling firms paid £19.6min penalties due to money laundering and under-age gambling conducted on their platforms.
Regulatory authorities are introducing stringent Anti Money Laundering (AML) and age-restricted selling regulations to eliminate the risk of money laundering and under-age gambling addiction.
For example, the United Kingdom Gambling Commission amended the identity verification and KYC regulations for online gambling sites. The new regulations require online gambling websites to verify at least the name, address, and age of their players before onboarding them. The previously registered players should be verified as well.
With strict changes in the age-verification regimes, the businesses need to gain in-depth knowledge about verification, its methods, and benefits. Several businesses need to incorporate age-verification software in their systems due to one reason or another but are unaware of urgency due to lack of awareness.
What Is Age Verification?
Age verification is a process in which the identity document of the user/customer of a business is screened to verify if the age information provided is true or not. This process can be performed manually or through an automated process. Manual verification is not practiced commonly because it has a high risk of human error and the process is hefty.
To solve this problem online age verification is used widely by many businesses. It helps in remote age verification of customers from any corner of the world.
How is Online Age Verification Performed?
Online age verification is a swift process that shows results within a minute saving a lot of time and effort of the fraud officer and compliance department.
The end-user (your customer) is asked to enter his date of birth and show his ID Card or another identity document (passport, driving license) bearing his date of birth.
The system screens the document for default format and matches the date of birth on the document with that added by the end-user.
Once the verification process is completed the results are shown to the end-user and updated in the back office.
Why Businesses Need Age Verification?
The significant reasons why businesses need to verify the age of their customers are listed below:
Regulatory compliance is often one of the major reasons why businesses need to verify the age of their customers is regulatory compliance. Regulations in several countries like the UK and the USA have made age-verification necessary for some businesses and huge penalties are imposed in case of non-compliance.
Regulatory compliance helps businesses in gaining credit rating and market value.
Corporate Social Responsibility
Corporate Social Responsibility includes the operations and activities of a business that do not reap monetary gain but help it in improving its market value and brand image among the masses.
Businesses that sell age-restricted products can use age-verification to show their commitment to the benefit of the masses. Children die every day due to unhealthy consumption of drugs and alcohol, 442 children died in the U.S. in 2015 due to drug overdose. Alcohol sellers should use age verification to play their part in decreasing deaths due to the under-age consumption of alcohol.
It will help the liquor store in gaining prominence as a regulatory compliant and socially responsible business.
Risk of Fake Identities
Often the children use the identity cards of their parents/elders to buy goods online. In such cases, if a business does not use identity verification it might end up losing its credibility and will also face penalties.
Another source of risk for some businesses is when identity thieves use the identities of other people to get free services and benefits. Often some benefits like pension and old age funds are given to needy people. Criminals might use fake identities to gain those benefits illegally.
Businesses That Need to Verify The Age of Their Customer
Online alcohol stores have a high-risk because they have no face to face interaction with their customers. So, it is very easy for children to buy drugs and alcohol online by using the ID card number of their parents or elders.
Several Businesses need to use online age verification to gain the benefits mentioned above. It is a common belief that only gaming and gambling websites need ID verification but the reality is the other way round. Below is a list of businesses that need to verify the age of their customers:
Online gaming and gambling websites
Online gaming and gambling websites are under the strict scrutiny of the regulatory authorities. They need to run in-depth KYC on the gamers before onboarding them and age-verification is a necessary part of this regulation. The major reason is to reduce gaming addiction among youngsters. Also, most of these sites are not suitable for underage kids.
Online age verification helps online gaming businesses to reduce the risk of non-compliance penalties by providing global coverage in age verification. It reduces the hassle of regulatory compliance by providing swift results. It helps businesses in retaining legitimate customers and keeping minors at the bay.
E-commerce is a huge market. Often such platforms have a diverse range of products, some of them are suitable for minors and the others are only for adults. Such platforms have a hard time managing their audience because regulations related to age-verification are imposed on such platforms as well.
For example, if an online store sells grocery items and liquor as well in its products range then he will need to introduce roadblocks in its website design to mitigate the sales to minors. In this case, online age verification software proves to be an efficient tool for seamless risk prevention.
Drug stores and hospitals (medical marijuana)
Online drug stores and hospitals have the right to sell some very expensive drugs. Often such drugs prove to be fatal if used inappropriately. Online drug stores and hospitals (serving online or physically) are developed with the intention to serve needy patients with prescribed drugs.
Children use the prescriptions of their parents to get drugs. In such cases the children often get addicted to these drugs and the parents or the drug store/hospital is unaware of the damage made due to their negligence.
Online lottery websites
It is a common practice to use the stolen identities of minors to onboard online lottery websites. These websites are exploited by criminals to wash their black money. In case a lottery website does not verify the age of its customers before onboarding them it will face multiple consequences if a criminal will launder money through their platform using the identity of a minor.
The lottery website will have to pay penalties for underage selling and non-compliance with AML regulations. So, age-verification is inevitable to avoid harsh regulatory fines and reputational loss.
NGOs and Govt. Pension Funds
NGOs and Government organizations have many beneficiary programs for senior citizens such programs include, food tokens, pensions, health benefits, tax deductions, etc. Criminals use the identity cards of these people to get benefits illegally. These organizations need to run KYC processes including age-verification, to reduce the loss of needy people.
The legal sector needs to run KYC and AML screening on their customer for compliance with AML regimes. At times the legal representatives are in a situation where the rights are transferred to a person after he/she reaches a certain age. In such cases, people often use fake IDs to manipulate legal representatives.
Online identity verification and age verification software will be very useful in such cases, as it will help the legal representatives in swift KYC screening along with age verification within a minute. It makes the whole verification process easier for the clients and the legal representatives as well.
Government agencies can use age verification for e-voting. It will reduce the hassle and cost of election a lot. Stringent identity verification and real-time age verification measures will reduce the risk of fraud in the election.
To wrap up, the benefits and use-cases of age verification are way beyond the general understanding of the masses. Many businesses can utilize age-verification software to increase their customer retention and fraud prevention. It helps the businesses in streamlining their security operations by onboarding secure clients.
The rapid increase in the use of the internet is raising some major concerns for parents regarding the online protection of their children. With the world moving towards digitisation and smart devices, every child is now exposed to the digital world. Whether it’s about watching youtube videos or playing games online, the children are regularly using mobile phones and tablets. On the internet, no one knows who you are. The freedom of staying anonymous on the internet allows anyone to get registered on any website using any identity information.
Generally, to register on any site, we need an email address and some personal information like name, gender, date of birth, etc. For instance, Gmail, Outlook, and Yahoo provide easy access to free email accounts, without proper verification of the individuals. Any child can get a free email account and use it for age-restricted sites, i.e. dating and porn sites, gambling platforms, and online liquor stores, etc. by misinterpreting their age and identity. Similarly, the same thing goes for adults as well that they can access services and products by manipulating their age.
“Act your age” isn’t applicable anymore in the digital world
The widespread use of the internet and smart devices has exposed the minors to the dark side of the web. Although the existence of child predators, pedophiles, fraudsters and cybercriminals is not a new phenomenon, however, the ease of access to social networking and other online platforms has contributed in an unsupervised encounter between adults and minors. This has grabbed the attention of cybercriminals and fraudsters providing them another opportunity to exploit the identities of children.
Exposure of children to the internet has raised serious concerns for the parents. The curious nature of kids to explore everything online is landing them in a dark pit divulging in illegal activities. According to NHS survey of smoking, drinking and drug use among school children (11 to 15-year-olds) in England -in 2016, three percent said they were regular smokers, 74 percent said they find it very difficult to give up smoking and 6 percent said they were currently regular e-cigarette smokers.
Moreover, minors are actively seen accessing social networking platforms and multiple age-restricted websites. The substantial risk associated with such platforms is the lack of proper age verification and authentication checks. According to the Young People and Gambling 2018 report, more than 450,000 children aged between 11 to 16 place bets regularly. Not to forget that gambling is illegal in most countries that too for minors. Furthermore, the presence of kids on the internet has resulted in increased Children Identity theft and fraud, eventually causing millions of losses for parents.
Age Verification – the need for Online Businesses
The anonymity on the internet and negligence of the businesses to confirm the age of their users is proving harmful not just for the kids and their families but for businesses as well. In the past few years, some deadly events took place due to a lack of age verification checks on the retailing stores. In 2014, a 16-year-old boy murdered the schoolfellow by brutally stabbing him with a knife. When investigated, he claimed to order a knife online from Amazon. That wasn’t the only case.
The rapid-increase of such pernicious incidents and children’s identity theft has propelled government and regulatory agencies to take steps against such incidents and come up with measures to avoid them in the future. To protect minors’ identities online and safeguarding them from age-restricted content, products, and services, the government has strictly imposed legal penalities for the businesses that fail to verify the age of their users before allowing them access to mature content.
The businesses that don’t confirm the age of their customers before allowing access to age-restricted content can face up to two years of imprisonment and fine. According to the Digital Economy Act 2017, the commercially operated age-restricted websites must ensure that their users are 18+. In the case of failure to comply, the regulators are empowered to fine them up to £250,000 (or up to 5% of their turnover) and order the blocking of non-compliant websites.
Goals of Age Verification for Children:
Performing age verification online is essential to protect children’s privacy, ensuring their safety from cyberbullies and assuring that they don’t gain access to inappropriate and mature content.
Performing age verification online is hampered by the fact that children generally lack credentials and proof to verify their age themselves. Therefore, access to age-restricted websites and mature content is limited to the users who can prove they are adults. If the user fails to verify their age and identity, the will be straightforwardly denied access. Moreover, there are some websites that perform identity authentication for adults and on the basis of their authority as a legal guardian, age verification of their children can be performed. In this way, the parents can track their children online as well.
Regulatory authorities around the Globe for KYC and AML
Global KYC and AML regulations
Global 2019 trends in KYC and AML
Benefits of KYC and AML regulations
Real-time KYC an all in one solution
Process of real-time KYC
Financial crimes are increasing at an immense pace. As per the United Nations Office of Drugs and Crime estimates, the global annual money laundering amount is 2% to 5% of the global GDP. This huge increase is a point of concern for regulatory authorities and businesses. Regulatory regimes are becoming more rigid and KYC compliance is becoming vital for businesses.
With evolving global KYC regulations, the biggest concern of businesses is to streamline their compliance processes with customer onboarding. Online KYC screening solutions address multiple concerns of executives planning to implement KYC compliance in their organization.
Becoming KYC compliant requires extensive research. Below is a detailed guide on KYC for businesses around the world.
What is KYC?
Know Your Customer (KYC) is a part of Customer Due Diligence (CDD) regimes. KYC is the process run by businesses to identify their customers’ true identity to access the risk associated with that customer and to check its suitability as a client.
Businesses are required to verify their customers before onboarding them due to KYC and AML regulations. KYC is a layered process that varies according to the risk associated with every client. Basic KYC is the verification of the client’s original identity through name, age, address, ID card, face verification, etc.
The scope of KYC is not limited to the verification of the clients only. Businesses around the globe practice it to verify their merchants, agents, partners, employees, etc. with the change in purpose, it also changes the name of this process and it becomes, Know your Merchant (KYM), Know Your Business (KYB), or Know Your Employee (KYE). But KYC is the most common, and one compact process can be designed to verify the customers, employees, merchants, etc of a business.
History of KYC
Businesses, especially the financial sector have adopted KYC way before other sectors due to high financial risk associated with their operations. In the past, KYC regulations were only imposed on the financial sector but with the evolution of the financial sector and the advent of FinTech expanded the scope of KYC regulations.
BSA and Advent of KYC in Financial Sector
KYC started when the U.S. introduced the Banking Secrecy Act (BSA) in 1970. This act was developed to control drug trafficking by keeping an eye on black money transactions. Subsequent AML regulations were developed on the basis of BSA in 2001 in the form of the USA Patriot Act which was implemented in 2003.
After that many other regulatory authorities introduced KYC and AML Regulations on regional and international levels.
Evolution of KYC
With an increase in money laundering and terrorist financing, the regulatory authorities are always in a bid to enhance the regulatory framework. The KYC regulations of BSA were globally acclaimed and many states implemented those regulations or developed their own regulations accordingly.
With the break of Panama Papers, the global regulatory authorities amended the KYC regulations to curb money laundering. For instance, FinCEN (U.S regulatory authority) amended the KYC regulations and expanded the scope of customer verification in 2016. Because there were loopholes in the KYC protocols of financial institutions. Shell companies were used by the criminals to wash their black money by manipulating the business proceeds of those businesses.
Since 2016, KYC is also addressed as KYB (Know Your Business). Global regulatory authorities now demand the financial institutions to verify the Ultimate Beneficial Owners (OBO) of the businesses that they serve as clients.
KYC Compliance Program
KYC compliance is not just a one-time practice. It is a thorough verification process that starts with developing a Customer Identification Program (CIP). Then it comes to accessing the risk associated with each client. In the case of a low-risk client, basic KYC is enough but if the customer has a high-risk profile then Enhanced KYC is applied to that customer.
Customer Identification Programs (CIP)
Customer Identification Program is the first step in KYC compliance. It consists of the requirements of regulatory authorities that apply to your business model or industry. CIP protocols are the same in most of the regions in the world. For instance, in the USA the CIP requires that every financial transaction must be verified through an in-depth identity verification of the person making the transaction.
The CIP includes the risk assessment of the individual and business accounts of the financial institutions. The financial institutions are required to define their risk appetite. Once it’s set, the businesses and financial institutions are required to assign a risk rating to each of their clients. It helps them define risk measures for clients falling under different risk brackets. KYC procedures are defined uniquely for complete risk prevention in all those risk brackets. This is the point where the financial institution or the business decides the procedure of Customer Due Diligence (CDD) and Enhanced Due Diligence(EDD).
CIP also includes the collection of customer information and the verification of this information. Once completed the customer is assigned a risk rating and CDD or EDD is performed on that customer based on risk rating.
Customer Due Diligence (CDD)
Customer due diligence is the process of processing the customer’s information for KYC screening. It is the second step in KYC compliance. In this step, the basic information of the customer is collected in real-time or in some cases manually.
The information collected for customer due diligence is as follows:
Date of birth, etc.
This information is used to verify the identity of the customer. The customer is assigned a risk rating as per his credentials. The risk rating of the customer is decided on the basis of the customer’s country, financial credibility, and the AML screening of the customer. In case a customer is found to be related to someone in the PEP or sanction list than the risk is considered high and Enhanced Due diligence is practiced on such clients.
Enhanced Due Diligence (EDD)
In case of a high-risk customer, the financial institutions and businesses perform more strict KYC and AML screening, which is called Enhanced Due Diligence (EDD). Enhanced due diligence includes an in-depth investigation of customer’s identity, financial status, income, etc.
Commonly enhanced due diligence includes collecting information about:
Transactions pattern and any unusual transaction
These EDD measures are designed by businesses as per their risk appetite. It is partially based on regulations and compliance protocols.
Who Needs KYC Compliance?
As per the regulations of global regulatory authorities. The companies around the world are required to perform in-depth identity verification on their customers to eliminate financial crime at an organizational and international level.
As per the global regimes on KYC and AML, the following are major businesses and industries that are liable for KYC and AML compliance.
Banks and all their subsidiaries
Businesses in FinTech, online payment solutions, money transmitters, etc.
Virtual currency businesses
Dealers of precious metals
Real estate sector
Non-bank mortgage lenders
Casinos and online gaming
Real estate sector
Non-bank mortgage lenders
Regulatory Authorities Around the Globe for KYC and AML
The major regulatory authorities that develop, recommend and implement KYC and AML compliance regimes around the globe are as follows:
FATF (Financial Action Task Force) is a global authority that collects and analyzes money laundering and terrorist financing data from the globe and gives regulatory recommendations based on its findings. It has 190 member countries.
FinCEN (Financial Crimes Enforcement Network) is a bureau of the USA treasury department that collects the financial transactions data and uses it for financial crime mitigation and international level.
FINTRAC (Financial Transactions and Report Analysis Center) is a regulatory authority in Canada, that collects and analyzes the financial crime data and works on the thorough implementation of KYC and AML rules in Canada.
FINMA is a swiss financial regulatory authority that supervises banks, insurance companies, stock exchanges, etc. The authority is responsible for the thorough implementation of Swiss KYC and AML regulations in the institutions liable for regulatory compliance.
Europol is a European Union authority that works on anti-money laundering and mitigation of financial crimes like terrorist financing.
Global KYC and AML Regulations
The regulatory authorities around the globe are different in many countries, and there are some global watch dogs as well to bring the countries on one page for counter criminal activities. Most countries have their own regulatory authorities for designing and implementing KYC and AML regulations. But all the regulations have a few things in common, which are minimum requirements of KYC/AML compliance. Global and local businesses need to comply with those regulations at minimum to prevent non-compliance penalties.
Below are major KYC and AML regulations practiced in major states in the world like the USA, UK, Canada, China, etc. These regulations are practiced in other states as well with some variations.
The reporting entities are required to screen the identity of their clients before starting any relationship with them.
KYC and AML screening must be performed regularly on all customers.
Customers should be given risk rating and necessary measures of additional screening should be practiced to cater to excessive risk.
A proper record of KYC and AML screening must be maintained.
Transactions (local/international) above the minimum transaction threshold must be reported to the concerned authorities.
Penalties are charged in case of non-compliance.
For AML screening, the clients must be screened against international sanction lists, terrorist lists, PEPs lists, etc.
Some countries require the reporting entities to maintain an AML department and to hire AML officers as well for thorough compliance.
Due to global risk, businesses are required to develop some sort of global risk cover. Like KYC/AML screening software that could verify people from every corner of the world.
Global 2019 Trends in KYC and AML Regimes
Canada also changed its KYC and AML regimes to collaborate with the global regulations of FATF. It amended its PCMLTFA rules. FinTRAC, the independent regulatory body in Canada, will be responsible for the thorough implementation of these rules. Digital KYC will be possible as scanned copies of documents can be used for KYC verification of the customers. Money service businesses and virtual currency businesses will be added to reporting entities and they will have to follow KYC and AML regulations just like the typical fiat currency businesses.
The USA also changed its KYC rules to cater to increasing money laundering and terrorist financing. It expanded its counter-terrorism powers and now targets the international financial institutions around the world that aid the terrorist groups working in the U.S. Also it added three Korean groups, namely, Bluenoroff, Lazarus Group, and Andriel into sanctions lists. These groups were involved in the global cyber attacks on financial institutions.
The UK also amended its KYC and AML regulations and expanded the scope to an international level. The Money laundering Act (MLA-2017) of the UK was amended. The UK-based businesses will practice the MLA rules in their international affiliates operating in non-EEA states.
Also, the UK implemented its fifth AML directive in 2018-19. This directive reduced the transaction and deposit limit on the prepaid cards. If the card holder will deposit or make a transaction of above EUR 150 the prepaid card provider will have to run KYC and AML on its customers. This limit is EUR 50 for online transactions.
FINMA and Swiss regulatory authority issued banking certificates to pure-play cryptocurrency banks. Tight KYC and AML regulations are imposed on these banks.
FATF also gave some recommendations in June 2019. As per the recommendations, the member states are required to implement KYC and AML regulations on virtual currency and legal sector.
The above discussion shows that fraud and financial crime is a global threat that affects not only the businesses but also the economies. The rise of internet and FinTech created loopholes in the previously prevailing KYC and AML laws. Even if a business is a victim of a phishing scam it will have to bear some sort of financial loss in the form of penalties, profit loss, recovery expenses, etc.
Hence the reason why regulatory authorities around the globe are joining forces against money launderers, terrorist financiers, cybercriminals and identity thieves.
So, the businesses are obliged to exercise KYC and AML compliance for several reasons. KYC and AML compliance help businesses in multiple ways.
Benefits of KYCand AML Compliance
1: Fraud Prevention
One of the major reasons why businesses perform KYC screening on their customers is fraud prevention and risk prevention. Fake or stolen identities are used by fraudsters to conduct their illegal activities anonymously. Mostly the victim businesses and institutions are targeted for financial gain.
Some common frauds with businesses are account takeover fraud, money laundering, terrorist financing, phishing scams, etc.
KYC and AML compliance help businesses with effective risk management. Once the risk is identified, KYC verification helps in seamless and thorough implementation of fraud prevention measures. Because designing risk prevention strategies is the first step, KYC and AML screening helps in reaping the benefits of such strategies.
2: Regulatory Compliance
As mentioned above most of the businesses around the globe are liable for KYC and AML compliance. KYC and AML are not limited to developed and prosperous countries. Global regulatory authorities are expanding the scope of KYC and AML regulations to eliminate money laundering at a global level.
For instance, recently FATF, a global regulatory authority included new members in its member states. The newly added countries are not developed countries but are the ones with a high rate of financial crime. Other than that most of the countries have their own KYC and AML regulations and regulatory authorities for their thorough compliance. Some major authorities are mentioned above.
Regulatory authorities have the right to charge high penalties to the reporting entities in case of non-compliance. KYC and AML compliance practices help businesses in preventing any such penalties.
3: Secure Customer On-boarding and Customer Retention
Going KYC compliant helps businesses in developing a secure customer base. Screening the clients before onboarding shows its commitment towards securing the interest of all the stakeholders.
The research in 2018, found that 66% of the customers feel more secure on online platforms that use security protocols. Performing KYC and AML screening on clients gives a positive message to the customers that you have them covered against fraudsters. Showing your security concern through visible security protocols helps in retaining clients. The same research found that a lack of visible security is the major reason why clients abandon an online transaction, globally.
4: Credibility and Growth
KYC and AML compliance help organizations in gaining credibility and market value. Compliance with regulations help in gaining global acknowledgment, and market share. On the other hand, non-compliance with KYC regulations will leave loopholes for fraudsters that will be exploited by the fraudsters.
In case of non-compliance businesses not only face profit loss they also lose their credit rating in some cases. For example, one of the Swedish banks involved in a money-laundering scandal in 2019 lost its credit rating and market value.
So, KYC compliance helps in gaining retainable growth as KYC verification helps in onboarding only legitimate clients. Also, customers stay for a long time if the business offers good security protocols. So, it helps the business to retain and grow its market value and credit rating.
5: Real-Time KYC: An All-In-One Solution
Real-time KYC is when the customers are verified in real-time through the internet. In real-time KYC and AML screening, the customers are verified within a minute without using any physical document verification.
Identity verification is done through face verification, ID card verification, document verification, 2-factor authentication, etc. AML screening is also conducted along with KYC screening by verifying the information of the end-user with global watchlists, sanction lists, and PEPs lists, etc. So, it helps the businesses in eliminating a huge risk within a minute.
Benefits of Real-Time KYC and AML Screening
Real-time identity verification and KYC/AML screening solution can be customized according to your compliance budget. On average Shufti Pro offers a 20% low cost as compared to the market rate. Also, real-time verification is less costly as compared to manual verification. No need to hire extra employees or building new infrastructure to accommodate huge compliance department.
2: Frictionless Procedure
Real-time identity verification can be performed within 30 seconds. So it helps in attaining a frictionless KYC and AML compliance.
It helps the businesses in KYC and AML compliance as the whole process of KYC and AML screening is swift and effortless, from the API integration to the verification of the end-user. The end-users will not have to change several windows or webpages for verification.
A real-time identity verification solution provides high precision in results. Although the verification process is completed within a minute but it does not affect the verification results. Shufti Pro delivers a 98.67% precision rate in its identity roofing results.
4: Global coverage
KYC and AML screening done through AI-based solutions deliver global coverage in risk prevention. The software verifies the information with global databases and screens the information written in all major languages used in Identity documents.
KYC and AML compliance is a global phenomenon, businesses need a compact KYC and AML screening solution to comply with global regulations. Developing an in-house KYC/AML screening solution is not suitable because it is a huge investment. It requires top-notch resources and global coverage for thorough compliance. Hence the reason why most of the businesses around the globe, especially those with a global clientele are using outsourced KYC/AML compliance solutions.
API integration is very easy and swift. All major programming languages are supported and integration can be done with a website and online portal or an app. So, outsourcing proves to be feasible for businesses in all aspects.
Process of Real-Time KYC
First of all you will design your KYC/AML screening solution as per your budget and adds the services that you wish to receive as part of your KYC or AML screening solution. Then comes the integration of your business platform (website, app, online portal) with that of Shufti Pro’s system through API integration. On completion of the integration, the verification process starts. Either the new customers are verified or the previous ones are also verified through batch screening.
For verification, the customer enters the data, and shows its ID card along with its face. So the verification is performed in real-time. After verification the results are shown on the screen and updated in the back office provided to the customer.
Security breaches are increasing in number with every passing day. This keeps on happening. It would seem like every company should be taking their data security very seriously. After all, a data breach typically costs millions of dollars and tarnishes the company’s reputation.
According to Bitdefender, six in every ten businesses have experienced a data breach at some point during the last three years. Infosec professionals are acutely aware of the risks their organizations face with more than 58% worried about the organization in the face of a global cyberattack. In fact, the rest 49% confessed that they were losing sleep over it.
Human error can be a cause of 90% of data breaches
According to research half of the businesses around the world suffered a data breach
Data breach experience makes them more employable according to chief information security officer (CISO)
DoorDash Suffers Major Data Breach:
DoorDash a food delivery company confirmed a huge data breach a few days back, almost 5 months after it occurred. It was almost a year that users started complaining about their accounts being compromised inexplicably. The company confessed that 4.9 million customers, delivery workers, and merchants had their information stolen by hackers.
The breach took place on May 4 but users who made accounts after April 5, 2018 were safe by this breach. Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen. Both delivery workers and merchants had the last four digits of their bank account numbers stolen. The cherry on top is that around 100,000 delivery workers also had their driver’s license information stolen in the breach. Doordash was unable to explain the breach at that time but later said that the incident occurred through a third-party service.
The Damage a Data Breach Can Do
A data breach can drastically affect an organization’s reputation and financial bottom line. No one has forgotten about devastating data breaches of Yahoo which reported two major data breaches of user account data to hackers during the second half of 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Other organisations such as Equifax and Target have also been a victim of a data breach. Today, many people associate those companies with a data breach only instead of their actual business operations. So a data breach can make business loss not only their reputation but also identity.
Different Types of Data Breaches and the Sources:
Different sources define different types of data breaches. Here, I group them by the root cause:
Hackers use malware, phishing, social engineering, skimming and related techniques to gain access to protected information.
Theft or loss of devices
Laptops, smartphones, thumb drives, and other data storage media can be lost, stolen or disposed of improperly. If they contain protected information and it ends up in the wrong hands, that’s a data breach.
Employee data theft or data leak
Employees, especially those who are leaving soon, might deliberately access protected information without authorization with malicious intent. This can be major reason for the data leak.
Mistakes happen, and people are negligent. Employees may accidentally send proprietary data to the wrong person, upload it to public shares or misconfigure servers where it is stored. Not having any good method for ID verification can also make company data to fall prey to cybercriminals.
Tips to Prevent Data Breaches:
To prevent loss of millions and the company’s reputation due to data breaches, following preventive measure should be taken:
Limited Access to Valuable data
Previously data access was given to all the employees. Companies are learning the hard way now and limiting access to crucial data. This narrows the pool of employees who might click on the harmful link. Only those who actually need access will be given, this is the common-sense solution companies probably should have been doing all along.
Know Third-party vendors
Every company does business with a wide array of third-party vendors. It’s more important than ever to know who these people are. What if the guy who delivers office supplies just got out of prison? It’s something to think about. So always adhere to KYC regulations not only for your clients but also for third party businesses you are going to take services from. Verify who you are dealing with. In addition, be sure to provide limited access to the types of documents these vendors can view.
Though precautions like this can be a hassle for the IT department, the alternative could be a multi-million-dollar data breach. Demand transparency for those companies that are allowed to view your important data. Make sure they are complying with privacy laws; don’t just assume. Ask for background checks for third-party vendors who must enter your company on a regular basis.
Conduct Employee Security Awareness
Studies revealed that employees are the weakest in the data security chain In spite of training, employees open suspicious emails every day that have the potential to download viruses. One class of training is never enough. Regular classes should be conducted to safeguard important data once a month or more frequently.
Update Software Regularly
Regularly update all your software applications and operating system. Professional recommendation is to install patches whenever possible otherwise network is vulnerable. Microsoft has launched a product in this regard which is known as Baseline Security Analyzer that can check and ensure all programs are patched and updated.