Utilities – an important tool in fighting financial crime

Illicit finance is one of the most serious issues facing society today, threatening international security and prosperity. It can underpin and enable the most heinous of crimes, with estimates suggesting an overall cost to the UK alone of at least £37 billion a year.^[1]

Tackling illicit finance is difficult. Organised criminal gangs continuously evolve their operations to exploit and defeat controls put in place by law enforcement and the regulated sector. They exploit weaknesses in the system, deliberately moving money between multiple institutions and jurisdictions. This is in the full knowledge that challenges in information sharing between financial institutions will make it difficult for authorities and institutions simply to "follow the money".

In a previous white paper, we outlined a number of reforms that could improve the effectiveness of the response to tackling illicit finance. Essential among these was the development of innovative data and information-sharing utilities. These include mechanisms that allow the same process to be undertaken once on behalf of many organisations — for example, know-your-customer (KYC) utilities — or which enable siloed datasets to be brought together to identify patterns and networks that could not be seen by looking at data in isolation, such as transaction-monitoring (TM) utilities.

In recent years, there has been much more interest in utility models and a number of jurisdictions have begun to plan, pilot and explore approaches to information sharing. For example:

• The Tri-Bank pilot (UK) pooled transactional data from three banks in pseudonymised form. This was combined into a dataset over which analytics were applied to reveal suspicious patterns of activity for further review.
• Transactie Monitoring Nederland (TMNL) is piloting a TM utility which involves five major Dutch banks monitoring and overlaying typologies from the national financial intelligence unit (FIU) to aid understanding of priority money laundering threats.
• In Switzerland a number of banks are working together to pilot a utility for sharing data for anti-money laundering (AML) alert mitigation. The goal is to create a model, with agreed thresholds, that in the future will allow the banks to share KYC-derived information.
• In Denmark, the Ministries of Industry, Justice and Taxation have run a pilot to assess the feasibility and value of establishing a central analytical platform. This enabled financial institutions' transaction data to be enriched with law enforcement intelligence, demonstrating the effectiveness of collective financial crime prevention and detection.
• In Singapore the "Collaborative Sharing of ML/TF Information & Cases" (COSMIC) model is a planned information-sharing utility involving six banks, which prioritises three risk areas: misuse of shell and front companies; trade-based money laundering; and sanctions evasion. The pilot is led by the Monetary Authority of Singapore, with the intention to introduce legislation to support such information sharing.^[2]

In the UK an information-sharing proof of concept facilitated by the UK Home Office and UK Finance is in progress, with the aim for multiple banks to share information about customers who pose the highest financial crime risk.

What has been learnt about utilities to date?

Pilots have shown that utilities are viable and valuable, demonstrating that it is possible to set up information sharing across multiple financial institutions and that the processing and outcomes can identify new risks, enhance intelligence and improve suspicious activity reports (SARs), as well as potentially releasing capacity across the system. To realise the full benefits, however, greater clarity in legal and supervisory frameworks would help.

Other sectors already successfully use utilities, from which the AML community should learn. For example, the benefits of information sharing utilities are well-understood in the fraud and cyber domains, where utilities are integral to business-as-usual (BAU) processes.

The public sector has a vital role to play and utilities work best when they use intelligence insights. This means that public-private collaboration, sharing intelligence about threats and risks, is a significant enabler of success. The public sector could play an even greater role, however, including the provision of data sets, clarification of guidance and clear encouragement for utilities through enabling regulation and legislation.

Managing data privacy requirements that protect the personal information of individuals when sharing data is a genuine challenge, but one that can be addressed. Privacy-enhancing technologies (PETs) such as homomorphic encryption could help.

The use of PETs should be balanced with discussion on the need for regulatory and legal clarity on information sharing and the use of data to support technological innovation. Wider use of cross-regulator sandboxes, for example, covering both data privacy and financial crime, would support greater sharing of best practice, particularly in relation to how data privacy and AML laws can be balanced.

Sharing information across borders is even harder, necessitating the management of data privacy regulations among jurisdictions. For example, the requirements of the EU General Data Protection Regulation (GDPR) still hold, regardless of a company's base or location, if they are collecting data from an individual within the EU. This affects the way entities share their data, and the efficiency with which they can do so.

Incentivisation is essential. The absence of regulatory recognition currently limits the time and resources that entities will invest in such initiatives when balanced against the need to meet wider regulatory obligations.

Leadership is critical and, coupled with an overarching governance structure, can drive forward and implement utilities where there are large and complex groups of stakeholders. Senior support within organisations can also unblock internal issues and help to resolve matters with other participants in utility models.

Lastly, there is opportunity to exploit existing points of data aggregation, such as the national payments architecture. A particular priority should be to test how centralised analytics could be run across these existing points of data aggregation to identify and disrupt financial crime and assess the effectiveness and efficiency of doing so.

Implementing data utilities

Looking across information-sharing frameworks, in the authors' view there are four stages to driving a well-functioning utility system:

1. Define the scope: Focus on bringing together participants, agreeing a clear purpose and starting to understand the legal framework.
2. Deliver a pilot project: Test and validate the approach, particularly the balance between data privacy and financial crime regulations. The authors see significant benefit in involving regulators at this stage.
3. Operationalise the pilot: Incorporate utilities into BAU and focus on developing a technology environment that would support future expansion. At this stage it is expected that institutions would start to realise some efficiency benefits.
4. Optimise the operating model: Enhance, fine-tune and automate the utility model. This would also include additional functionality and expansion of the capability across the sector so that it becomes a regulatory expectation for these approaches to be used.

Organisations are likely to need one or more partners to provide many of the supporting services on this roadmap, such as project management or technology, if they are to fully realise the benefits of a well-functioning utility model.

 Public-private collaboration

Despite the potential challenges of developing utilities, they have the ability to transform the effectiveness of the anti-financial crime framework. This is especially true when public and private sector insight is brought together to enable utilities to be truly intelligence-led and aligned with the prioritisation of threats. As such, the development of utilities and the required investment and innovation should be actively encouraged.

______________________________________________________________________________

References: 

[1] The economic and social costs of crime (publishing.service.gov.uk)

[2] Monetary Authority of Singapore Consultation Paper on FI-FI Information Sharing. (mas.gov.sg)

Link to Thomson Reuters Regulatory Intelligence article for subscribers: http://go-ri.tr.com/xvcZOV