If you have built a product that allows actors (people, businesses, or any other types of legal entities) to move money, you have an obligation to make sure your product is not exploited by criminals.
As part of such obligations, you need to establish and implement a certain set of policies that follows the local regulations. The procedures would typically include:
- Appointing a Money Laundering Reporting Officer (MLRO)
- Staff training
- Risk assessment
- Conducting Customer Due Diligence (CDD), Simplified Due Diligence (SDD) and Enhanced Due Diligence (EDD)
- Screening for persons on sanction lists, Politically Exposed Persons (PEPs) lists
- Transaction monitoring
- Ongoing monitoring of customer behaviour and transactions
- Recordkeeping
- Reporting suspicious activity
If not implemented properly, companies risk becoming a target for criminals and running into various penalties from the authorities. For example, in 2022, losses caused by fraudsters reached $8.8 billion. Most of them took place after the initial onboarding.
Further, and most importantly, we must remember that financial crime has an actual impact on people’s lives whether they are victims of fraud or are directly exploited by criminals in various illegal activities, such as human trafficking.
While each of the steps is essential in combating criminals, this article focuses on transaction monitoring and its implementation. This procedure can be complex, but ignoring it can be hugely detrimental to your business both financially and from a reputational perspective.
Here are some practical tips to help you to define your financial crime risk profile and some ideas about controls which you can use to fight fincrime.
Understanding your regulatory obligations
Before implementing transaction monitoring into your system, you should take a proper assessment of the regulatory obligations and the risks your company will have while operating. The risks can be assessed based on the company’s products, customers profiles, and the nature and frequency of transactions.
FATF Recommendation 10 is the starting point to understand measures you must implement to combat money laundering, terrorist financing and proliferation of weapons of mass destruction. Your local region and regions you operate in will also have regulations and legislation which mandate the basic controls you must have in place. Use industry bodies, regulatory experts and financial crime specialists to guide you on interpretation.
Regulatory compliance, however, is just the starting point in the fight against fincrime. Being compliant protects you and your business but is often not specific or responsive enough to cover all the creative ways criminals exploit the rules or to control emerging criminal behaviour.
Determining your fincrime risk exposure
In order to make sure you get the most out of transaction monitoring, you need to understand the financial crime risks inherent in your business/product proposition.
Try and answer the following questions to begin defining your business’s financial crime risk (this is not an exhaustive list but it should get you on the right track):
- How could criminals gain access to my product? Hacking, gaps in your onboarding (KYC) checks, using stolen identity and/or card details
- How could my product be used to launder money?
Does my product process transactions which could be proceeds of fraud? - What customer segments make sense for my business? Understanding typical customer behaviour makes it much simpler to identify what is atypical
- Are some of my segments more risky than others? Are some groups of customers more likely to include criminals or to be victimised
- Does my product allow interaction with high risk regions?
- Does my product include functionality which could be exploited by criminals?
Answering these questions will highlight your most obvious risk areas. Once you have mitigated the highest risks, move on to the next most serious category. Using this method, you can make sure the controls you select are proportionate to the risks you face – this is called taking a risk-based approach.
The advantage of taking a risk-based approach is that when you make an effort to map out risks by thinking like the bad guys, segmenting your customer base and transaction flows in addition to mandatory regulatory compliance, you can subject high-risk groups to more strict and/or specific controls tailored to identifying specific fincrime behaviour patterns.
Understanding suspicious behaviour
Transaction monitoring effectiveness is directly related to how well you understand your customers’ behaviour.
The best way to analyse how your customers use your product is to look at data about these interactions and define what is normal/expected for a legitimate customer in each of your segments. If you are brand new and do not have live data, take time to sketch out a ‘user persona’ for each segment.
Once you have a good idea of what ‘normal’ looks like for each segment, you can define suspicious behaviour as anything that deviates from this definition – alerting on these deviations is transaction monitoring – this is a powerful first step to stopping fincrime and does not necessarily rely on understanding fincrime typologies.
We would like to provide some examples of suspicious behaviour, which might help you orient at the earlier stages:
- Unusual transaction amounts
- Unusual series of transactions (e.g., a number of cash credits)
- Unusual geographic destination or origin of a payment
- Known threats or typologies
Businesses need to have a clear understanding of what they want from a transaction monitoring solution. This will come after answering the questions and defining the behavioural patterns from the sections above.
After that, companies need to make sure that their solution corresponds with the requirements from the regulators. While the specifics vary, in general, your company would need to flag suspicious behaviours and properly examine them in a timely manner. After that, it’s essential to submit such cases to the government authorities and take appropriate actions.
Keeping up with new criminal practices
It’s helpful to remember that financial criminals are professionals and they are as motivated to innovate on their skills and methods as you are in your career and business – this means that the methods criminals use to move illicit funds are constantly developing, so you will also need to continuously improve your transaction monitoring controls to manage new risks.
The best way to do this is to regularly reassess your definition of atypical customers, analyse your transaction alerts to understand if they are still effective. Some of the issues companies face when establishing transaction monitoring solutions include:
- Having too many false positives
- Facing too many regulations that lead to complex rules
- Balancing between strong protection and conversion rates
- Combining different vendors into one system
- Poor casework delegation and low quality inspection tools, leading to missed cases, incorrect decisions, and wasted time
To conclude, transaction monitoring is a complex solution that requires a thorough understanding of the way your company operates, the local regulations, and the strategies used by criminals. Therefore, our partner Sumsub has prepared a complete guide on transaction monitoring and an in-depth explanatory article with all essential information on the topic.
