In July 2021, the Financial Action Task Force (FATF), an independent inter-governmental body that develops and promotes global policies against money laundering and terrorist financing (AML/CFT) published a paper called “Opportunities and Challenges of New Technologies for AML/CFT”, which started by noting that new technologies have the potential to make AML/CFT controls faster, cheaper and more effective. The professed goal was the development of “smart” financial sector regulation that both addresses risks and promotes responsible innovation. Technology, the report said, can facilitate data collection, processing and analysis and help actors identify and manage ML/TF risks more effectively and closer to real time.
All that is true. A quick glance through the news and media pages of established AML/CFT service providers in the digital assets space proves it. Case study by case study shows that law enforcement is able to work and trace the flow of funds on blockchain in real time or almost, which translates into increasing high percentages of recovered funds. Sophisticated document integrity checks which can be carried out in less than a few seconds are able to spot a potential fake Government-issued identity document, and selfie, liveness and other biometric checks ensure that the person uploading the documentation is the right one. At the same time, names are being screened via a multitude of watchlists, criminal and law enforcement databases as well as other publicly available information, computer IP addresses, credentials and emails are being checked and stored, and patterns of transactions are being recorded.
Compare this with the traditional way of doing things – painstaking collection of “wet ink” originals via mail, manual review and updating documents, manual checks of watchlists. Clearly, technology has the potential of making things faster, cheaper and less dependent on human error (or moral hazard). With the smart use of embedded risk profiles and a clear understanding of operations, a business can significantly decrease its ML/TF risks; instead of hundreds of employees working in a linear fashion to run checks and document findings, incidentally killing trees in the process through excessive paperwork, a company can achieve the same result with a dozen highly trained employees and a smart AML/CFT compliance program, which will flag only the cases which actually require a manual review, present all the facts and risk factors on a dashboard with easy click-on-me-to-view links, calculate risk scores, and conveniently record an audit trail of views and approvals and checks carried out for later on. Convenient, right?
However, we argue that with the accelerated growth of innovation, it is important to also learn to view compliance with regulatory requirements, AML/CFT risk management, data protection and cybersecurity from a holistic systems thinking perspective. Otherwise, the end result may not be what is actually needed or even intended.
Indeed, the convenience of modern compliance technology, cheap and effective, may be too tempting for regulators and businesses alike. If compliance only comes at a fraction of the cost, why not impose it on everyone, for everything? We don’t want to envisage a world where getting a cup of coffee at Starbucks would require KYC (short for know-your-customer, which is a legal obligation imposed on many traditionally regulated entities in the financial services space). We also don’t want to create small walled gardens rich with personal data and private financial information, tempting targets for criminals, ransomware attacks, etc.
Now that we finally managed to advance data protection to allow individuals to request that their information not be collected and used without consent, we don’t want to create a backdoor under the guise of AML/CFT compliance. Because we are only human, too often, businesses are caught in a loop of managing regulatory risk instead of ML/TF risk, in a form-over-substance approach, by accumulating a wealth of KYC information and user data without the proper safeguards, and/or by filing a storm of suspicious activity reports (SARs) that actually overwhelm law enforcement instead of helping them out. Convenient and cheap technology will only worsen these bad habits, unless we decide to become more aware of the overall risks and consequences of such an approach.
The solution comes from an understanding of what a risk-based approach (RBA) truly means for AML/CFT compliance, and what are some of the other risks which a business needs to manage (either because it is legally required to, or simply because what’s good for the customers is good for the business). The FATF itself recognizes in conclusion of its report that we must ensure that the use of innovative tools is compatible with international standards of data protection, privacy, and cybersecurity. This means that regulators and various other stakeholders need to talk to each other, and so do different departments of a large organization. We suggest an overall audit of the risk factors impacting a business and a systems thinking approach. Digital assets businesses have an opportunity to build better and more effective systems compared to traditional actors. Over time, rules and regulations themselves will evolve into “smart” contracts and programs. But the right design is everything.