False positives: a growing headache

Compliance is one area where banks and financial institutions cannot easily cut back on costs. All those operating in financial services are obliged to screen both their clients and individual transactions, to ensure they do not breach sanctions or other regulations: for example, by allowing funding to reach groups such as Al Qaeda or certain Russian interests in the Crimea.

Banks are prevented for allowing any such entities onto their books. The penalty for not exercising control was underlined by the heavy fines imposed on those banks that reportedly implemented the rules in a way that enabled continued trade with Iran to take place.

In recent years, the demands of anti-money laundering (AML) obligations have also increased, with banks required to screen customers to prevent this risk. There is also a steadily increasing tax compliance screening requirement, while the introduction by the US of the Foreign Account Tax Compliance Act (FATCA) requires banks to report any American citizens or businesses located overseas that are on their books.

To this must be added the increasing importance of reputation management; for example a bank can ill afford to have a manufacturer employing child labour in Bangladesh on its books.

So as banks conduct a daily screening of customers and transactions against a long and steadily lengthening list, so does the chance of a match or near-match that must be investigated – such as customers who share the same name or who have similar names.

It’s a complex process, due to the mechanics of screening data. Financial institutions with overseas subsidiaries and/or which trade in US dollars must also respond to the jurisdictional requirements of each territory they operate in.

The result – perhaps inevitably – is that these daily screenings produce a large number of ‘false positives’, or alarms that flag an issue that must be investigated but prove to be nothing. For a typical bank conducting know your customer (KYC) screening, typically 75%-85% of the alerts that they remediate on a daily basis are false positives while up to 25% are reviewed by level-two senior analysts.

Working through each alert is time-consuming and complex at an average cost of £20 each time, cumulatively creating a hefty bill when a bank has millions of customers to screen. Remediation departments have steadily increased in size and there are larger financial institutions that report their annual bill for AML screening alone exceeds US$1bn.

A growing problem

The problem of false positives is deepening as the number of obligations grows – for example, Russia’s intrusion in the Crimea in early 2014 resulted in a punitive sanctions regime imposed on dealings with Russian citizens and businesses. Each investigation must address the complexities of who owns what, where they own it and whether it is subject to sanctions, with all banking products subject to a lengthy screening process.

The European Union directive on AML promises to widen banks’ obligations still further by extending the requirements to companies operating in the property sector. The Fourth Directive adopts a more prescriptive approach to those customers who may have been considered as low-risk.

Those low-risk customers must now be treated as though they are potentially high-risk and undergo the same level of scrutiny. This additional requirement promises to soak up resources better spent in addressing high-risk individuals/transactions. Bank customers will find that obtaining products becomes a more time-consuming process: they will have to present their passports more frequently and respond to more questions, to meet the requirements for “Know-Your-Customer” (KYC) identity verification. So the onboarding process is lengthier, costs increase and customers must respond to questions that some will regard as intrusive. The additional requirements also change the nature of bank and customer relationships; previously regarded as opportunities they have come to be seen more as risks.

De-risking is creating headlines, as banks opt to withdraw services in certain territories or for certain categories of customer. Some countries are seen as having become too risky; a prime example being Iran, where the primary aim of imposing sanctions might have included an encouragement for banks and businesses to disengage from the country.

There have, additionally, been unintended consequences: money remittance businesses have found it increasingly difficult to get services from the banks, which regard them as a poor money-laundering risk. Typically, these are small-scale businesses working in local communities and penalised by the fact that they remit money to countries rated high risk, such as Mogadishu. The resulting risk is that the money involved will instead go through an unofficial channel, while export credit may also become more difficult to obtain for certain regions.

Governments obviously do not wish to drive this flow of money underground, making it harder to monitor, and have encouraged banks to maintain these services on a case-by-case basis. Among the outcomes has been that bank compliance departments have escaped the general trend for cutbacks and seen staffing levels increase, while their employees have enjoyed improved pay and higher visibility. These departments have also seen greater investment in technology.

There still remains much work to be done in compliance and a major percentage of screening work continues to be manual. Risk intelligence will help meet the challenge and bringing previously siloed customer databases together will allow banks to achieve a single overview of risk.

1306 views

Related reading