Challenger banks vulnerable to AML-savvy criminals

By Alex Hamilton | 31 January 2019

Digital-only challenger banks and new market entrants are vulnerable to savvy criminals looking to exploit weak anti-money laundering (AML) controls, according to John Davies, chairman on Kompli-Global and deputy chair of the Emerging Payments Association (EPA).

Speaking at the launch of the EPA’s new whitepaper on financial crime, in central London, Davies said: “There are people out there creating new technology companies which are now able to become payment transmitters. They’re all great technicians but they actually know sweet Fanny Adams about money laundering.”

The problem, added Davies, is that due to the profitability of successful fintech companies, the payments industry is experiencing a form of “land grab”. “You have companies boasting that they have one and half million customers in a short space of time, but do they know truly who [those customers] are? Of course, they don’t.”

German publication WirtschaftsWoche claimed to have found a security vulnerability in challenger N26’s banking application by using fake identification documents, including an image which had been edited using consumer software, in October last year. London-based Revolut reported a series of suspected money laundering activities on its systems in July to both the Financial Conduct Authority (FCA) and the National Crime Agency (NCA). In January this year, Ben McRae, a systems engineer at Arcadia Group, claimed on LinkedIn that UK challenger Starling Bank held a copy of his passport online that could be accessed by anyone with the appropriate URL.

Davies said the rush to make customer onboarding as effortless and as quick as possible leaves digital challengers vulnerable to fraud. “To truly understand the person it is serving, a bank needs to know ‘everything there is to know’ about a customer, he said. “You can’t do that in five minutes.” Criminals and money launderers are more likely to operate through know your customer (KYC) processes they deem to be simpler to pass through.

“We need to change the game and how we approach this. If we don’t change the game we’re going to get the same results,” Davies said, before showing the audience an image of a terraced house. “It should win a number of awards,” he added.

“It has more turnover per square foot than any other location in the UK - £7.4bn. 4,300 businesses were registered at that address and that £7.4bn went through the UK banking system. All good money launderers know how to pass KYC. They know what they’re about and they know how to work around banks’ KYC controls.”

Regulatory catch-up

“There’s an arms race in technology,” said James Mirfin, global head of digital identity and financial crime at Refinitiv, at the same event. “Criminals are using it to attack institutions at scale. Fees that a few years ago would have been a few thousand dollars are now in the millions.”

Steven Bisoffi, a consultant and payments advisory lead at Huntswood, added that companies in the industry need to increase levels of collaboration to tackle the evolution of money launderers in the market. “When we have multiple sources working on analysis you will end up knowing why so many businesses are registered at a certain address and know who runs them. You don’t get that working with just one source of information.”

For William Dodsworth, head of financial crime policy at Barclays, it’s not just the financial institutions having to keep up with criminals embracing digital change. “Regulators have been forced to play catch up. We had the third money laundering directive in 2007, the fourth in 2017 and we’ll likely have the fifth in 2020, which will finally give us something on a European level about crypto exchanges. It’s become very hard for regulators to pre-empt what’s happening.”

There is “a lot of confusion in the marketplace” about the multiple layers of regulation coming into force, added Bisoffi. “This extends through financial services and affects companies which interact with payments on a regular basis. We are being asked questions like ‘what am I actually doing?’ and ‘what are my responsibilities?’. It ends up with a scramble to comply and becomes a box-ticking exercise rather than an attempt to fight financial crime.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development