Matthew Field discusses how Japan’s FIs can enhance the maturity of their AML programmes through a data-driven approach that places the customer entity in focus.
The Financial Action Task Force’s (FATF) recently published mutual evaluation report of Japan highlighted key deficiencies at financial institutions (FIs) in relation to their understanding of basic AML/CFT concepts, including in areas such as customer due diligence (CDD), beneficial ownership (BO) identification, transaction monitoring and screening.
Specifically, the report said the transaction monitoring and screening systems in place within some FIs are still basic and have limited effectiveness, and that, in terms of customer risk, many FIs collect only basic information such as the customer address, which is also often not updated.
Customer Due Diligence
In Japan, the obligation to collect and update basic customer information was not introduced until 2016. Further updates to regulations in 2019 imposed more detailed requirements for risk assessments to be performed on every customer. Without a clear regulatory driver in place before this, it is no surprise that adequate systems had not been put in place and the industry in general has been playing catch up in terms of modern CDD practices for financial crime purposes.
The mutual evaluation report also noted that processes to update customer information “tend not to be applied in a systematic and timely manner to existing and new customers”.
It also raised further concerns over the quality and effectiveness of CDD programmes, specifically mentioning challenges in the collection and verification of BO information.
In other developed markets, FIs tend to have in place automated approaches for both the collection and analysis of customer data, which ensures consistency and serves as an important control against financial crime.
The collection of KYC and associated CDD data should be built into the onboarding process as well as throughout the customer lifecycle with the FI, with new and changed data being monitored and analysed on an ongoing basis. Data should be monitored as close to real time as possible so that any changes which affect the risk or raise concerns can be immediately escalated and managed accordingly.
Further, FIs should be performing analysis on the data collected and assigning each customer a risk score. This risk score should be dynamic and should automatically change based on any changes in risk, and CDD teams should be notified if any such change in risk occurs.
Delivering Customer Risk Scores
FIs should have the ability to assess risk contextually, using data brought together from KYC and CDD processes – as well as transaction monitoring, screening, fraud, and third party systems – to deliver an accurate risk profile and score for a customer.
The next stage to achieving an effective understanding of the customer and risk is to take in additional data points to monitor and assess all risks, not just for KYC purposes but for other purposes such as helping to better understand transaction, screening, and fraud risks.
To achieve this, FIs will have to use a solution which utilises multiple internal and external data points to make informed, real-time decisions on customer risk. Today this typically involves the use of artificial intelligence (AI), machine learning, entity resolution, and network analytics.
When done right, this approach will ultimately deliver a risk profile that FIs can be confident reflects the customer’s real attributes, thereby also ensuring an accurate master risk score of the customer that can be trusted.
The risk profile can then be automatically fed into other connected systems, such as for use in updating thresholds and segmentation in transaction monitoring, tuning of sanctions screening systems and fraud detection models, as well as to adjust customer risk scores in CDD programmes. This will ensure that more accurate alerts can be raised for investigation where necessary.
It can also help inform revenue generation teams of the customer risk when considering new products or services. Having this information stored in one place will drive financial crime compliance efficiency and effectiveness, lower costs, and significantly reduce customer frictions that disjointed compliance solutions can cause for customers.
CDD Should Interact with Transaction Monitoring
The mutual evaluation report also highlighted that FIs for the most part are not applying proper enhanced due diligence (EDD) measures to higher risk customers. In cases where enhanced measures are applied, they are limited to identity verification methods and list screening.
“There are no stringent operational rules regarding higher risk customers nor escalation procedures to ensure that additional or enhanced controls are conducted,” the FATF said.
The report highlighted that customer records need to also be taken into account in the context of actual customer transactions. Indeed, a key risk indicator in AML systems is often that a customer’s transactions do not match up with what an FI knows about the customer, their characteristics, and their business.
The FATF report said: “FIs do not usually perform customer risk rating based on the characteristics of their customers nor make connections between the customer’s profile and transactions records.”
It further said: “Banks are starting setting priorities to conduct CDD on existing accounts, but applying a RBA [risk-based approach] proves challenging when banks have limited information on customers.”
In Japan, ongoing CDD measures are largely limited to updating information collected on the customer and to screening lists, an approach the FATF says “does not allow FIs to make connections between the customer’s profile and his/her operations, and to detect potential deviation from the expected customer’s behaviour.”
The report recommended that Japanese FIs need to improve verification of customer information and “fully implement ongoing CDD requirements, based on comprehensive and dynamic customers’ risk profiles, which take into account transactions records.”
FIs should implement information systems that can integrate CDD data and transaction monitoring, the FATF said, adding that transaction monitoring parameters should be “attuned to FIs’ business, to the identified risks and to customers’ behaviour and risk profiles and based on appropriate detection scenarios.”
To achieve this would require in many cases modernising of the FI’s transaction monitoring and CDD technologies to enable enhanced behavioural profiling to occur. CDD and transaction monitoring systems should not be siloed.
High false positives
The FATF report noted that the majority of FIs in Japan have developed their transaction monitoring systems in-house, but that these tools are “uneven” in terms of complexity and efficacy, and suffer from false positive ratios “up to 99%”.
“The highly time-consuming activity of manually checking the large amount of false positives limits the capability of FIs to utilise their resources in order to improve their AML/CFT framework,” the report said.
As most financial crime compliance professionals would know, high false positives have been a challenge for FIs across the region for years. But, given that this has been widely recognised as a common industry problem, the tools available today apply advanced technologies and new approaches that are able to significantly reduce false positives, while whilst also enabling the benefits of automation and improving effectiveness of financial crime detection.
According to the FATF, the high false positives characteristic of monitoring systems at Japanese FIs reflects “the incorrect setting of the red flag indicators”, including basic trigger criteria and thresholds, as they are not based on transaction patterns and known ML/TF typologies. “These factors limit FIs’ ability to detect other suspicious behaviours than the basic ones,” it said.
Most modern transaction monitoring systems today allow FIs the flexibility for users to not only easily understand their rules performance but to also change settings and thresholds. In general, technology has moved away from ‘black box’ approaches towards greater transparency, which can enable further insights from analytics and AI capabilities, including on the effectiveness of rules and thresholds.
In the partnerships we have with FIs, we have been able to achieve on average a 60% reduction in alert volumes, a 40% reduction in level 1 alerts, and a 30% increase in true positives. This was achieved by understanding which rules were either under or over performing and applying machine learning models on historic alert dispositions to tune and recommend new rule settings.
“A very limited number of FIs appear to have proper transaction monitoring systems in place that look at the characteristics and behaviour of a customer in order to highlight suspicious activities,” the FATF said, adding that the controls in place are limited to sanctions and organised crime group (Boryokudan) lists screening.
Meanwhile, some FIs such as small deposit taking institutions have not implemented transaction monitoring systems at all, estimating that their transactions can be manually monitored due to their small operations and a customer base assumed to be lower risk, the report says.
It is worth noting that the Japan Bankers’ Association has been working with the industry to develop a new transaction monitoring platform that will be shared by the industry and allow for federated learning and data sharing between banks.
While this is an exciting initiative, it does not absolve FIs from the obligation to have suitable transaction monitoring systems in place within their own organisations.
The FATF has highlighted several areas where improvement is needed at FIs in Japan. No doubt, the report was based on the AML/CFT measures in place as of November 2019, and as such does not recognise more recent achievements to address known weaknesses based on updated regulations.
Notably, we know that Japanese regulators and government agencies are creating a specialised AML team as part of its response to the FATF evaluation, to enhance cross-agency coordination and tackle financial crime more effectively. New legislation will also be introduced next year to toughen penalties for AML violations, which in many other jurisdictions has been a driver for FIs to modernise their AML systesms.
The Financial Services Agency (FSA) is also more closely examining how well AML measures are working at regional banks and other local FIs. This review follows a revision of the AML guidelines in February which sought to strengthen overall customer management at banks.
With the impetus from government and regulators, FIs have an opportunity to enhance the maturity of their AML programmes considerably. Many of these improvements will be solutions- and data-driven.
Based on our work with other FIs, the focus should be to:
- Enable a customer risk-based approach utilising technology that allows continuous risk scoring based on the transactional and non-transactional behaviour of the customer.
- Ensure the customer entity is the focus of every alert investigation, not just the individual transaction threshold breach, so that other alerts and the relationships of the customer are also made visible.
- Implement a process and solution that can provide more assurance that the institution understands the BO risk of any customer.
- Deploy transaction monitoring solutions that are open and transparent and allow users to easily update trigger criteria and rule thresholds.
- Leverage AI or machine learning analytics to provide tuning recommendations on the deployed typologies and rules to drive down false positive rates and better predict the likelihood of whether a false or true positive alert will result.
We believe this approach is achievable via modern AML solutions that place the customer entity in focus.
This article was contributed by Matthew Field, APAC Market Lead for Anti Money Laundering at NICE Actimize. To find out more, contact Matthew by email at [email protected].