Podcast | April 5, 2023 | 33 min listen Episode 37: FRAML Fundamentals to Fight Fraud and Money Laundering TwitterFacebookLinkedInEmailMessenger What can financial institutions and other regulated organizations do to stem the rising tide of fraud and money laundering? We invited two compliance experts to share their perspectives and offer insight into today’s trends. We discussed the risks, how organizations are merging their efforts into a comprehensive FRAML approach, today’s latest technology and more. Transcript: Saxon Prater (SP): Each year, digital payments and online transactions become more and more commonplace and convenient. Laura Sewell (LS): But there’s a catch. As digital payments increase, so does the chance of bad actors attempting to fraudulently use these channels. SP: This increased fraud paired with the constant fight against money laundering means risk managers have their work cut out for them. LS: Given the high stakes and commonalities between these financial crimes. Many organizations are merging their efforts into a comprehensive fraud and AML approach. We call that FRAML for short. SP: Today, we invited two of CSI’s regulatory compliance experts: Bradley Wallace, Director of Compliance, and Amber Goodrich, Senior Compliance Analyst, to talk us through some of the FRAML best practices. Amber Goodrich (AG): We all know humans make errors and we are not as quick as a machine when it comes to being able to scan through a set of data, especially a large set of data, to pull out transactions that might look suspicious. So, it’s really about doing things quickly and making sure that everything is identified as well as it can be. LS: I’m Laura Sewell. SP: I’m Saxon Prater and welcome to Fintech Focus from CSI. LS: Well, good morning, Bradley and Amber. How are you? AG: Good morning. Doing pretty well. How are you? LS: I’m good. I’m ready to talk about FRAML. Well, to start off, a lot of people tend to use the terms fraud and AML concurrently, but they’re not exactly the same thing. Can you talk to us about their similarities and also how they differ? AG: Yeah, absolutely. So, both of those terms are financial crimes, obviously. I think the simplest way to explain it is that fraud is really kind of using deception or dishonesty to generate illegal funds or proceeds. Right? Money laundering, then, is the process that comes after that or could come after that to integrate those funds into the financial system. So, making the dirty money appear clean at that point. I do hear the terms used interchangeably quite a bit. You know, they’re obviously related. They could go hand in hand. And a lot of institutions tend to kind of piggyback compliance efforts on each other for both of those. If you’re seeing things kind of separated out, fraud departments are typically, you know, really trying to address that criminal activity and protect the organization from that financial loss that could be incurred. And the customers, right? On the other hand, with AML departments specifically, they are really more focused on the compliance aspect of things and kind of needing to protect the financial system overall, because money laundering can be such a big and complex thing once those funds get integrated into the system. So similar goals, similar types of crime, just kind of function a little bit differently, typically internally when you’re talking compliance. Bradley Wallace (BW): And we should focus really kind of on what the term FRAML really means. FRAML really brings together the AML operations as well as the fraud operations to automate data sharing and the insights that the company, the financial institution can create as they operate separately in these two departments. You bring these anti-fraud and AML teams together so that they’re focusing on individuals who have the types and the same types of criminality that they are conducting. However, by combining the two functions, you’re really intersecting where money laundering and fraud come together from a tracking perspective. So, this helps to reduce false positives, speed up things like customer onboarding, and just kind of better identifies the lifecycle of customer risk that is created through both the components of fraud and AML. Using FRAML technologies allows financial institutions to analyze a vast amount of various data transactions, consumer behaviors, and really gives you a holistic risk profile that financial institutions had really kind of siloed from each other, from a risk management strategy within their organizations. So, by bringing these formal tools together and creating these high level holistic risk profiles, you have a better opportunity at predicting and preventing both fraud and AML components where they intersect. SP: So we’ll definitely dig into the technology a bit more later. But what exactly are some of the things that they’re scanning for that would flag something as either money laundering or fraudulent behavior? AG: Suspicious transactions, I think is really the basis of it and suspicious customers at a certain level. It’s looking for anomalies in customer behavior. So, things that don’t appear normal when customers open accounts at banks or credit unions or really any types of accounts, typically they have to identify upfront what the expected activity on the account is. So, this would identify, you know, deviations away from that. It would identify suspicious transactions occurring outside of their normal geographic area, outside of normal dollar amounts, all kinds of things. Bradley. Are there other things that you can think of to add to that? BW: Right. So, what it can do is it can help the financial institutions or other industry specific concerns or businesses to create webs – webs that show how their customers interact with one another and how they interact with parties outside of the organization. And then, as Amber has said, it gives you those outlier items that can show you organizational transactions or customer specific transactions that fall outside the norm. So therefore, you get more realistic, targeted transaction activity that identifies real-time transactions that do not fit the customer’s patterns, the customer web or the standards for the organization as set. And these technologies constantly evolve themselves to be able to reduce those items. And then from the customer perspective, it allows you to know your customer better and meet those KYC customer items that put the pressure on the financial institution of really understanding who their customer is and what they do. Because we can’t interview our customers every time they make a transaction to understand what the purpose of that transaction is. So, it helps you to kind of build that knowledge. LS: You know, I remember (it’s been years), but maybe most of us can remember the time when you would go out of town, say, and try to use your credit card and it would be flagged and the credit card company would want to speak to you. I don’t know. Maybe that’s been decades for all I know. But that doesn’t happen anymore. Is that a factor or a product of just, you know, better technology is more expertise in financial institutions or… AG: Probably a little bit of both. And I think it does still happen occasionally. But exactly what you said, you know, when you’re implementing technologies like that that are able to make quicker detections and smarter detections of those types of transactions, it’s much easier to flag those quickly and be able to shut them down. Obviously, expertise in financial institutions has evolved over the years to knowing what to expect, and I think the information that those institutions are garnering from their customers is also getting better. So, I do think it still happens occasionally. But I think that, you know, it’s definitely gotten a little bit easier to come about. SP: Yeah, it actually happened to me about a year ago where my card was basically turned off because of suspected fraud, even though it was just an accidental payment that I made while I was traveling. I imagine it probably depends on the financial institution or organization’s risk tolerance. AG: Yeah, there’s obviously thresholds that the institutions will set for things like that. That trickles down, as Bradley talked about a little bit. The risk tolerance trickles down all the way to the customer level, right? And there’s risk profiles that are developed at the customer level. So, your risk profiles, Saxon, might look a little bit different than Laura’s if you travel a lot or you travel internationally a lot, or if you’re doing a lot of cash intensive types of transactions. So, it definitely depends on the institution and the customer as well. LS: Your listening to Fintech Focus, we’re talking with CSI’s, Bradley Wallace and Amber Goodrich about family and combating financial crime. SP: We’ve mentioned that the landscape is changing. Could you go through some of the most important developments of the past few years? What has changed? BW: Probably one of the biggest developments of the last few years is the AML Act of 2020 that implemented a very significant overhaul of the anti-money laundering rules and regulations here in the United States as part of the Defense Authorization Act of 2020. All of this came out in actually January of 2021 when Congress passed the act. Other items that would be of note are we now receive AML priorities each year started in 2021 from FinCEN, and that’s a Department of Treasury, OFAC and FinCEN document that gives businesses and financial institutions directions on an annual basis of what the priorities are in anti-money laundering and fraud risk that the agencies are identifying so that we in the industry that actually have to implement these can prepare for what the expectations are so that our customers and the businesses can protect themselves. Further, we have seen a new and really intensive focus on digital currencies and assets. There has been kind of a renewed focus on that as that has been more broadly adopted over the last few years. So, you’re going to see a need to start treating that more as a fiat style currency with a very targeted program at each organization’s level of digital currency fraud and AML risk. There’s been an intense focus globally on AML and CFT. You’ve seen the FATF regulations come down at an international level, really focusing and targeting on that, and that’s been a lot of the response of the AML Act of 2020 – to address that more global systemic items. LS: So, you mentioned digital currencies and geopolitical factors. Are there any other new tactics or methods of concern that might be on the horizon? Are there things that you’re concerned about that might come up next? AG: Instant payments, things going through and being credited instantly, I think is a huge risk and it’s been a big focus, especially internationally and, you know, cross-border type of transactions. I think that’s going to continue to be a focus and something to kind of watch. We kind of keyed in on the alternate types of currency and things like crypto and bitcoin and all of that good stuff is always a huge focus. It hasn’t been super regulated, I would say, at this point. I know it’s been kind of a focus and it’s something that we’re probably going to see more regulation on. And then one that I find kind of interesting is apps that have multiple functions. So, obviously the first one I think of is Facebook with things like Facebook pay. But even some of the other social media is like Snapchat and Twitter. They all are kind of branching out into different functionality and a lot of them are kind of dipping their toes into either payments or some sort of financial aspects. And that really kind of increases the difficulty of managing the risk around that. So that’s another area that I find kind of interesting, and I imagine we’ll see some developments moving forward. Bradley, are there any that you thought of that I didn’t? BW: Well, Amber, I’m going to just echo some of the topics that you discuss. You know, born out of the global pandemic, there was a lot of fraud that occurred globally in general that led to new money laundering tactics being born because there was this huge and significant push to digital payments spurred by the fact that we couldn’t leave our homes. We were having to think of new ways of moving money. There was a push for a lot of people not even to touch currency. So, you know, we saw a huge uptick in digital payment fraud occur out of that. And those frauds continue to evolve. And that’s where the timing of the FRAML products have been so great in the market because of this new and renewed focus on digital payment fraud. Another form of fraud that’s really becoming prevalent, borne out of the COVID pandemic, was remote work tactics that are being used from the remote work. It’s the fact that a lot of us now have that opportunity to work from home. So, there is a need for security and so on and so forth for our PCs. And we’re not in that office environment where it’s easily able to speak to fellow employees when we get the emails or the messages and things like that. So those spoofing and social engineering tactics are becoming prevalent again. The war in the Ukraine brought on a whole new form of sanctions evasions. And we’re seeing a whole lot of new sanctions rules coming out in regards to that. All of that is part of fraud and AML tactics that are being born. But something else that I personally have been advocating is at the state level in the United States, drug trafficking is actually starting to uptick again, as we’ve seen legalization of marijuana at the state level. Now, remember, at the federal level, marijuana is still considered a schedule one narcotic. So, you have businesses and financial institutions that at the state level have the right to engage with these marijuana businesses that are now legal at the state level. But they still have to contend with the federal level regulations and they dance that fine line of the drug trafficking risks that comes with dealing with those marijuana businesses, that being sure that that’s all they’re dealing in. So, drug cartels have a great way of introducing other drugs into the United States using those legalized marijuana businesses. So, that’s another tactic that has been on the radar of the regulatory authorities. LS: Wow. It’s a lot for compliance people to keep track of. I think I’ll stay in my current job. BW: Well, those of us that work in the field, we love it. So, we’re passionate about it. LS: I’m sure you do because it’s fascinating, honestly. SP: You mentioned the 2020 Anti-Money Laundering Act as a massive change to bank secrecy laws and obviously an approach to money laundering. Can you give us a little bit more information about what that is and how it’s going into effect? BW: Be happy to do that. In the United States, probably one of the biggest components of the AML Act of 2020 is the disclosure of beneficial ownership. The beneficial ownership rule came out several years ago. Beneficial ownership has always been one of those mechanisms where shell companies can be used to perpetuate money laundering activity, because through shell companies, the ownership of the company can be hidden. So, if you have sanctioned individuals, individuals who are bad actors or known blacklist individuals for organizations and things like that, they could use shell companies to add their identity and perpetuate money laundering. Such things as drug cartels could use those shell companies to move the money. With the new disclosure of beneficial ownership brought on by the AML Act. It’s the first real step that the United States has taken. Like many of our European countries that we have seen in understanding and knowing the ultimate beneficial owners of organizations and to thwart the abilities of shell companies to hide the AML risk or AML components. It’s going to put a lot of burden on the entities themselves, not our financial institutions especially. It’s really going to be a great tool for financial institutions to be able to have a documented source of information coming from this. Beneficial ownership will be a listing administered by FinCEN and every organization in the United States that meets the beneficial ownership rules for definition of having to identify who their beneficial owners are, will have to file a report with FinCEN to update who their beneficial owners are. It is a nonpublic national database, so it’s not going to be publicly available. It’s not quite detailed out at this point who all will have access to that. But we’re going to make the assumption that at least the financial institutions and other parties who are responsible for money movement will have access to that data so that they can understand their customer bases. The other big component that you’re going to see with this is you’re going to see increased money laundering penalties. A lot of the penalties increased significantly, sometimes up to three-fold of what prior penalties were. And there’s a renewed focus on the PEP expectations. In the United States, we adopted the broader international, politically exposed persons terminology. If you go to the regulation, we’re always going to refer to it to Senior Foreign Political Individuals. But they’re one in the same. And concealing PEP information is becoming a real high focus for money laundering activity in the United States. You’re going to see increased penalties from the period of time of how much jail time can be obtained. And you’re going to see more civil penalties and those of us that are in industry professionals being more subject to penalties. There were new whistleblower programs that were brought out. And not to harp on those too much, but lots of protections around identifying and notifying regulatory authorities of businesses that are evading the new BSA programs, as well as increased information sharing on not only a national level, but an international level for money laundering activity. Now, let’s be clear, though, that there were carve outs for China and Russia and that if you’re dealing with or have financial institutions or subsidiaries or affiliates that are in the China or Russia geographies, you do have to get special case by case permission from the Department of the Treasury and Justice to be able to deal with information sharing across those boards, so on and so forth. And then we’re back to the digital assets and other entities such as those that deal with real estate investments, yachts, art. There is an increased focus through the act that modernized how those organizations will process payment, method sources of funds and just general BSA/AML items in those organizations as well. AG: Yeah, kind of the theme throughout the AML Act is really modernization. So, they’re really trying to break the program’s standards and implications up to date and kind of improving information sharing with banks, improving inter-agency coordination between places like FinCEN and law enforcement and the financial institutions. And really just kind of modernizing programs as a whole. There are not certain stipulations outlined in the AML Act per se. But there is a heightened focus with a lot of suggestive language around adopting technology and making sure that your organizations are modernized, really making sure that you’re up to speed in 2023, and that your organization is ready to kind of deal with a lot of those broadened AML things that we’ve been discussing already. SP: This is Fintech focus. We’re setting our sights on Trammell with CSI’s Bradley Wallace and Amber Goodrich. LS: So, Bradley, you mentioned entities and that the onus for complying is on businesses to prove that they are not shell companies, they’re on the up and up. So, for bona fide business owners who are just trying to run their business and do so in a legal manner, what are some of the key elements of this legislation for them to keep track of? BW: So really, all that they need to know is there’s nothing to fear if everything’s on the up and up. It’s a matter of… there’s just a little more regulatory paperwork for you to file. And once you file that, really your responsibility is just to keep it updated and to be aware. So I would tell our listeners that it’s really something that’s going to protect them and there’s no real significant burden coming their way. LS: Gotcha. So, you mentioned paperwork and keeping it updated. Is there a standard for keeping the paperwork updated? BW: Those standards haven’t been detailed yet. So, more to come. LS: Okay. SP: So, in terms of modernization, Amber, you were talking about bringing in new technologies or using technologies in an efficient way to ease this process and as Bradley said, to not really have any fear. Can you speak a little bit more about what roles those technologies can play? AG: Yeah. So, this goes back to a little bit of what we were talking about in the beginning. It doesn’t explicitly explain what new technologies are being required because they’re not being required. It’s just a suggestion at this point. But there is an emphasis on artificial intelligence and machine learning specifically in the AML realm and really kind of implementing those to get a better grasp on who your customers are and what they’re doing and kind of integrating those into your systems as a whole and wrapping that risk up into one big. nice picture. Obviously, we talked a little bit about this already, but it really can help in a lot of areas. Fraud and AML, obviously really identifying your customers, being able to tell which transactions are suspicious and which ones are not and do that in a real-time manner. That’s really kind of where the differentiator with the technology comes into play, right? If you are currently functioning without any sort of technology like that in a financial institution of any sort, you’re probably doing a lot of things manually. And if you’re relying on humans, we all know humans make errors and we are not as quick as a machine when it comes to being able to scan through a set of data, especially a large set of data, to pull out transactions that might look suspicious. So, it’s really about doing things quickly and making sure that everything is identified as well as it can be. Anything to add to that, Bradley? BW: Well, I think that’s where you’re going to see this explosion of the FRAML solutions that are going to come out. Because, again, those of us in the industry that have to comply with both the fraud and AML logic are going to need tools that help us to integrate and web our customer activity together so that we can identify those deviations, those anomalies, those risks so that we can have updates to our risk profiles for our customer bases that are real-time (and) create knowledge based solutions that are not reactive. Because let’s be honest, the average financial institution or business cannot consistently custom tailor their risk management solutions for diminishing fraud and AML risk on a daily, weekly or even monthly basis. Most of the time, our risk processes are semiannual at best to annual. So, with these tools, it’s going to enable us to be as close to real time as we can get and far more reactive to the changes that are happening, especially with the acceleration of payment services in the digital environment that we see today. LS: And this AI and machine learning is fantastic for automating, catching things that a person would have a hard time keeping up with. But talk to me about the relationship between these fantastic solutions and the compliance analysts out there that still they’ve got to be able to analyze the information. AG: Yeah, I think Bradley hit the nail on the head with the reducing false positives, right? So, if you’re sitting in the chair as a compliance analyst or, you know, a fraud analyst even, you’re going through and you’re looking at data every single day to identify which transactions might be off, see if there’s patterns with your customers. This is going to not only make it easier, but quicker, right? It’s going to reduce time, reduce monetary efforts. There are all sorts of things that kind of come into play with that. And I think it’s something where you’re never going to completely get rid of the need to have a human looking at things. I don’t really see (I mean, you guys may disagree with me, this is all personal opinion), but I don’t see AI replacing you know, compliance analysts or fraud analysts anywhere. Because there’s still you know, there’s a human element to really identify whether it’s truly suspicious or not. But I think it’s definitely going to be a more dominant tool for sure. BW: And I like to use analogies when I’m trying to explain these types of tools to customers. It’s like going to the optometrist. You know, you’re sitting there and you’re trying to look at the chart and they have they’re constantly flipping the lenses. Is one better or two better? Well, what the AI is doing is, it’s focusing you in on to what the real point or line item that you need to be looking at on that chart. And it’s weeding out all of that additional noise and fuzziness so that our compliance analysts are fraud analysts are individuals who are in those roles, are better equipped with quality information to do their job successfully. And I completely concur with Amber on the statement that in no way do these tools eliminate the need for human intervention. That need will always be there because the AI is not going to be able to pick up the phone and talk to customers, to write the reports, to file a lot of the reporting items like the SARs and comb through other human-based needs that are going to be there. But what it’s going to do is it’s going to make our industry more secure by targeted information that’s being presented to those of us that do the real work and roll up our sleeves. SP: So I think that’s a good place to sort of wrap up this conversation. You know, for those people who are ready to roll up their sleeves and are listening for something actionable, are there any immediate steps that either of you would recommend to protect against some of these financial crimes? AG: Yeah, the step one and it’s always the step one when I’m giving this type of advice is evaluate policies and procedures. That’s to me just kind of the basic step. See where you’re at today, what might need to change based off of, you know, what we talked about today as far as evolving threats, as far as evolving regulations. You really have to get that baseline first, kind of where you’re at to see where you might need to improve. And with that comes the new technologies. Is it right for your organization? Maybe, maybe it’s not. It’s going to be dependent on each and every different type of institution that’s out there. I would say to stay on top of the regulations. We talked about this a little bit already, but the AML Act is not completely finalized at this point. There’s still a lot to come on that. So, stay on top of that, make sure that, you know, if the beneficial ownership rule, if you’re a business, if it’s going to be applicable for you, that you’re monitoring those dates, when things go into effect and when you’re going to have to start reporting. On the flip side, as a financial institution, make sure that you know, when that registry from FinCEN is going to become available to you and that you’re really monitoring those things. And another one that I always like to throw in there, because I really enjoy looking at this and reading it, is watching enforcement actions (and) making sure that you are keeping on top of your peers and their downfalls. Right? So, all of the regulatory agencies will publish publicly their enforcement actions. OFAC does, the banking regulators do. So, keeping an eye on that periodically and seeing where others are failing can really keep organizations kind of on top of things, in my opinion. Anything to add to that Bradley? BW: Amber, I think you did a great job of hitting the highlights. Something that I always like to encourage is to make sure that you, if you are not currently as a compliance professional, working hand-in-hand with your fraud area as well as your risk management areas, you need to start that collaboration now, because these tools are going to collaborate those departments together. So, now would be a good time even if you don’t use these tools to start, understanding how your internal policies and procedures integrate with both your risk and your fraud prevention tools to ensure that your policies and procedures and your practices of the organization all adhere hand-in-hand into remediating both the risk piece, the fraud piece, as well as the compliance pieces and other regulatory requirement pieces within your organization. Something else that I like to point out is taking the time to sit down and understand within your organization, especially with your fraud teams, the new fraud that you are seeing – that can help you identify holes in practices that your organization may hold. And then it gives you a better understanding of when you start assessing for tools that you’re going to use to help mitigate understanding where your holes are and what tool will be the right tool for you in the end. Those are just two pieces that I would add. LS: Well, fantastic. Bradley and Amber, thank you so much. You’ve given invaluable information and advice here and it’s always a very interesting topic to cover. So, thanks again for coming on. AG: Thank you guys for having us. BW: Yeah, thank you for having us. We love talking about it. LS: Thanks again to Bradley Wallace and Amber Goodrich for sharing their expertise on Fintech Focus. And thank you all for listening. We hope this discussion provided some useful insight for your organization’s FRAML journey. SP: Interested in learning more about fintech, regtech or cybersecurity? You can find previous episodes of this show and learn more about who we are and what we do at CSI by visiting csiweb.com or subscribe to Fintech Focus wherever you get your podcasts. We’ll be back soon. But until then, find us on Twitter @csisolutions or on our Facebook page: Facebook.com/csisolutions. See you next time.