Financial crime and the Great Convergence
The Great Convergence consists of four driving forces: data portability; portable identity; richer, faster payments, and central bank digital currencies. While these forces promote innovation, efficiency and a seamless customer experience in financial services, they also pose new risks and challenges that must be considered.
In anticipation of the Great Convergence's impact on the Canadian banking ecosystem, it is crucial for financial crime compliance programs to exhibit and demonstrate adaptability on cyber, fraud and money laundering risks.
In this article, we approach the subject with key industry-fed insights, along with noteworthy remarks and potential action items.
Financial crime risks and implications to consider with the Great Convergence:
Data portability
At its core, data portability refers to data transfer from one point to another. For instance, sharing documents to apply for a mortgage involves the transfer of information from one source, a banking financial institution, to another, a mortgage broker. In the context of a digital-forward world, data portability allows data subjects to provide consent and thus allow their data to be securely shared using standard formats with accredited third-party organizations.
While data portability boasts advantages such as increased control of shared data, there are new risks and challenges that are equally important to consider.
While new ways of sharing and transferring personal data are inherent to a digital-first world prioritizing data portability, if data is not properly managed or accounted for, serious implications such as data breaches or data leaks could occur. For instance, in an increased data portability world, data exchanges between various platforms or entities, such as digital wallets or aggregators, will be common practice, leading to increased data sharing to a larger set of companies, which in turn results in increased exposure of the information shared. Furthermore, new entrants in the market will need to ensure security and encryption measures are prioritized since, as newcomers to this ecosystem, they may not have the same level of resilience to fraud attacks in comparison to well-established banks, further magnifying their potential risks and vulnerabilities.
Data security and data governance protocols should be under greater scrutiny as organizations continue to learn how to govern client data and provide the best security measures to reduce data breach opportunities. One way to accomplish this is by collaborating with the cybersecurity team to develop and enforce stringent policies, to establish advanced and resilient intrusion detection systems, and to conduct regular system audits and pen tests. Furthermore, promoting data security awareness among employees can significantly enhance their understanding and handling of data security protocols, thus strengthening the first line of defence against data breaches.
The current and evolving landscape regarding data privacy will continue to bring forth innovation and, in turn, new concerns and complications around the subject. One of the primary goals to sound data privacy includes the principle of collecting reasonable and required amounts of data while remaining compliant to applicable jurisdictional privacy laws concerning data collection and consumption.
Portable identity
Portable identity is part of a revolutionary change that will enable end users, or customers, to have control over their identity, including the breadth of attributes they choose to share. This in turn can promote opportunities to strengthen security and privacy, resulting in enhanced trust.
While the impact of such an instrumental change from requiring physical or other means of identification documentation to one digital ID suggests a positive change forward in a digital-first world, there are a few key takeaways that should be considered from a fraud and anti-money laundering financial crime lens.
As the focus on customer data storage shifts from organizations to individuals, it's likely that criminals will also shift their targets from corporations to users. Given this context, customer identification, verification and authentication processes will need to be revamped. It's crucial that additional controls are put in place to account for the heightened risk of criminals impersonating others to engage in illicit activities via fraudulently obtained digital IDs. The main risk lies in transitioning from physical to digital platforms, as fraud must be controlled on both these fronts while actively monitoring for fraudulent activity during the enrollment process for digital IDs.
Customer information systems, such as know-your-customer (KYC) authentication systems, must be able to identify and authenticate digital IDs effectively alongside an increased need for storage and processing capabilities to digest richer data as various levels of complex digital IDs are consumed. In the same vein, personal information must be incorporated in customer risk rating models, including the impact of higher-risk transactions that are alerted via the organization’s transaction monitoring systems, which play an important part connecting appropriate transaction monitoring data and its corresponding source personal information. Deepfakes may also become a challenge for financial institutions’ verification processes in the future. Even though deepfakes cannot bypass the better biometrics solutions in market, technology is evolving at rapid rates, and deepfakes — voice and video cloning — are becoming more and more realistic and may eventually possess the ability to bypass biometric controls.
Navigating risk ownership is a challenging and evolving landscape for the industry. While many constructs suggest risk ownership to companies, the added construct of personal information managed by consumers themselves increases the complexity of the traditional, and centralized personal information risk constructs.
Therefore, should such responsibility fall with users to safeguard their digital IDs? Or should there be a collective responsibility across all touchpoints that require digital ID consumption? For instance, third-party service providers offering storage for digital ID wallets and financial institutions requiring digital ID authentications to process banking services may both share some degree accountability in the risk ownership.
However, the answer to this scenario is complex and will be shaped by prevailing industry trends and regulations, such as scam reimbursements or fraud victim reimbursements as observed in the UK. As the Canadian banking ecosystem evolves and liabilities are well defined, the notion of risk ownership will certainly be subject to adjustments and refinements.
Richer, faster payments
Richer, faster payments are paving the way to a faster and richer source of transacting. From increasing volumes of online and digital payments globally, Canada’s Great Convergence will soon include this and in-effect ISO 20022 standard for payments which will enable richer data-transfer payments between peers and organizations, boasting efficiency at its core to settle payments at significantly faster rates than traditional methods of payments such as automated clearing house and electronic funds transfer. With the significant increase in speed, coupled with the irrevocability of payments after they are processed, there are multiple risks to consider.
Speed and convenience are two major advantages for consumers of the Real-Time-Rail. These two factors may result in reduced scrutiny of transactions, possibly allowing illicit transactions to go undetected. This may be prevalent in systems that are not readily able to detect unusual and illicit activity.
Therefore, fraud detection tools, sanctions screening tools and transaction monitoring systems should inherit greater capabilities, such as enhanced capabilities of ongoing monitoring systems to compute and process larger sets of data in real time as well as the application of generative AI and supervised learning models to improve risk management in real time. If ongoing monitoring systems are not managed appropriately, the risk of backlogs and increased lags to process Real-Time Rail payments could be the unfortunate result of reactiveness.
Based on the UK and US launch in real-time payments infrastructure implementations, criminals were the first adopters of the new technology. This resulted in millions in losses within the first weeks of adoption. Canadian banks should proactively evaluate the necessity of ongoing controls to address fraud and money laundering risks while implementing real-time capabilities for validating transaction growth, monitoring incoming payments, and other relevant measures.
As a reporting entity, applicable regulatory reporting obligations must be met and reported under the prescribed timeframes subject to the reporting entity. Such instances of these from a Canadian regulatory lens include electronic fund transfers, including the travel rule, large cash transaction reports, unusual and suspicious transaction reports, and if applicable, other reporting such as large virtual currency transaction reports and terrorist property reports (TPRs). Additionally, internal reports are not to be excluded in its value, as these can help highlight process, procedural and/or system gaps identified with reporting in the organization.
When doing business with other payment service providers, an organization must apply a risk-based approach. That includes policies, procedures and controls that are congruent to its enterprise risk management framework, and that are sound in the organization’s sanctions and payment screening fine-tuning and threshold criteria. The approach should incorporate the organization’s feasible risk appetite to identify and evaluate payment service providers that have varying compliance program robustness to apply effective and sound risk-based approaches in the mitigation of illicit funds flowing in and out of the organization.
Additionally, there's the implication of disrupting services potentially causing system downtime in real-time payment infrastructures. This could be due to distributed denial-of-service attacks, which might not only cause significant service disruptions and financial losses, but also provide opportunities for criminals to exploit these vulnerabilities.
