AML compliance 11 min read

How AML crises can make our future brighter

Because history has shown us that a crisis may be just what we need to grow and change.

Taavi Tamkivi
Taavi Tamkivi
Co-founder, CEO, and Professional Optimist

aml-breaches-are-opportunities-title-2.jpg

We’re all painfully aware the power a crisis has to fundamentally change our future. But, I want to take a pause from Covid for a moment to look at another crisis that’s fallen on the backburner — because it still has a lot to teach us.

I’m talking about the crisis of the AML (anti-money laundering) scandals that have been hitting banks all over the world. Did you know, in 2019, that nearly 1 in 4 of the world’s largest banks were fined for AML breaches? (1) That’s a massively high infection rate.

In the public or media, it’s easy to write off banks with AML breaches as greedy and corrupt, but if 25% were struggling in 2020 to manage their AML, then the problem is likely far more complex than a few bad actors.

I’m from Estonia, one of 3 tiny Baltic countries mixed up in some of the largest recent AML scandals — which is why this topic is especially important to me. In the last decade I’ve personally witnessed both the rise and fall of a bank called Danske in my country of Estonia. At first, Danske was offering us affordable mortgage loans and helping boost our nation’s economy and better our people’s lives. Then, recently, it was getting our nation’s name into the headlines due to Danske being at the forefront of one of the largest money laundering scandals in Europe. (2) Not exactly what any of us want to be known for.

But, sadly, it hasn’t just stopped at Danske. For awhile now, Estonia and the Baltics have continued to be in the spotlight for rather unflattering reasons — namely, being the epicenter of the Danske bank money laundering scandal. Estonia’s reputation has definitely taken a hit as a result. To add to that, recently, another local bank called Swedbank faced similar headlines for having serious deficiencies in its management of the risk of money laundering in its Baltic operations. (3) It’s easy to get lost in self-pity or frustration. Call me crazy, but I actually feel massively hopeful and thankful for this AML crisis. Because, in the long-run, I believe crises have the potential to bring us far more good than harm.

Before you write me off, let me explain.

aml-breaches-are-opportunities-1.jpg

A crisis is an opportunity to face our fears, then change and grow

I know from recent experience that a nation-wide crisis can be an opportunity. Do you know where NATO’s Cyber Security Defence Centre is located? I do.

In 2007, my country of Estonia experienced its own dark times after a decision was made to relocate a Soviet-era Bronze soldier statue. That simple act not only inspired riots all across our nation, but also a major retaliation. The nation of Russia launched a cyber attack on Estonia — the first of its kind against a nation state.

Rather than burying its government files under a cloak of classified shame, however, our Estonian government chose radical public transparency around what happened, coupled with an incredibly practical response. Shortly afterwards, I watched in awe as our entire nation put an enormous effort into building up its cyber security.

Remember the question on the location of NATO’s Cyber Security Defence Centre? You might have already guessed — or even known. It’s here in Tallinn, Estonia. But why not someplace like Washington DC or London? Because, after those horrific 2007 cyber attacks, our nation grew an entirely new ecosystem meant to fight cyber criminals. Thirteen years on, you’ll find a robust culture of cyber security that’s pervaded both our private and public sectors in Estonia. But, the reality is that we wouldn’t have gotten where we are today without that initial attack. So, thanks to those Russian cyber trolls, the world is now a better, safer place. Although I doubt that was their initial intent.

To me, the recent money laundering scandals are similar to the Bronze Soldier crisis. Yes, Estonia is at the forefront. Yes, it paints an unflattering picture of us. Yes, there were — and are still — serious issues. But, thankfully, in Estonia we can speak openly about the underlying failings that brought us to our current state rather than working hard to hide our failings just like we did back in 2007. Because that’s how we learn. That’s how we grow. And that’s how we’ll rebound and move forward quickly.

That’s the strength of living in a tiny nation like Estonia with 1.3 million inhabitants — we are small enough to come together behind one large table and work through tough situations like this.

But back to the matter at hand — those AML headlines. To better understand what happened with Danske Bank, Swedbank, and other banks like them, it’s helpful to take a step back for a little historical context.
aml-breaches-are-opportunities-2.jpg

History often helps give context

Today’s AML laws were set into motion after the September 11th terrorist attacks killed nearly 3000 people in 2001. The USA’s subsequent Patriot Act took only 45 days from idea to legislation and created the foundation for global anti-money laundering as we know it today. (4) A terrible crisis was the catalyst for the fight against money laundering at huge scale — which is enormously positive. So that’s the up side. The downside is that, even though the legislation had great intentions, in reality, neither banks nor nations nor societies-at-large were ready to do what it took to stop criminals.

But, of course, hindsight is always 20/20. Which is why it’s a good idea to remind ourselves how different things were.

At the time the Patriot Act passed, Pentium 4 processors and Napster music sharing was the norm. At the time, it was normal for companies and governments to use faxes and snail mail to exchange documents. Email had barely taken hold, the majority of us were still using landlines instead of cellphones, and facebook wasn’t even an idea in Mark Zuckerberg’s head yet. But the Patriot Act was passed in the US. EU didn’t really follow suit because they weren’t worried. Yet.

Now jump ahead to a more recent time. Europe stood in shock as a crisis unfolded before her eyes in 2014. Seemingly out of nowhere, Russia boldly swept into eastern Ukraine and declared Crimea their own. Which is why, just 2 months after Crimea’s annexation, the EU enforced sanctions to limit the business activities of Russian enterprises and individuals. (5) In step, Europe’s Parliament approved a money laundering directive similar to what the US had already approved over a decade earlier. It went into effect in May 2015. It took its own crisis to inspire the EU to action. Positive steps.

For European banks, new EU regulations meant they needed to know all of their customers and also be able to report any relevant information about them to their supervising authorities. Not so easy for companies whose policies and technology have been cemented in stone sometimes for decades or longer. Surprisingly for many, regulators acted quickly. By July 2015, just 2 months after the new directive went into effect, Estonia’s local Financial Supervisory Authority (FSA) issued a notice to Danske Bank in relation to its activities.

Let’s jump into Danske’s shoes for a moment.

aml-breaches-are-opportunities-3.jpg

Seeing it from the bank’s perspective

If we look at the present-day AML scandals from a bank’s perspective, the first 10 years of our present century, at least for European banks, were business as usual. Unsurprisingly, many financial institutions at the time had slowly amassed a large quantity of wealthy, non-resident individuals from various former Soviet nations. Many of these customers required a certain level of financial shielding and confidentiality from their own home countries, but, in return, offered banks lucrative money-making opportunities. At the time, this wasn’t strange or unusual. And, by 2015, these kinds of assets formed a substantial portion of many banks’ portfolios — especially Danske’s.

Which meant that, in 2015, banks suddenly found themselves in a situation where regulators were essentially saying, “Be careful — your golden eggs might be infected with a deadly virus. But, sorry, we don’t have a vaccine and we can’t really help you figure out which eggs are infected and which aren’t.”

So, as a bank, what do you do? You’d probably try to sort through who is infected and who isn’t — keeping the good golden eggs and throwing out those with the virus. But do it all in a way that doesn’t affect your normal operations, a large part of your cash flow, nor your clientele. But that, my friends, is a massive task. A task most banks weren’t set up to quickly accomplish in around a year.

But, even if banks were able to quickly offload most of their shady clients, it wasn’t always enough. Much to many banks’ surprise and horror, local financial authorities began retroactively evaluating banks’ former actions with the new standards set in 2015. Meaning even if they had cleaned up their portfolio, their past wrongs — which weren’t wrongs at the time — could come back to haunt them. This is the situation many banks like Swedbank have currently found themselves in. It’s hard to know if what authorities are doing is right, let alone whether this methodology has legal grounds — but that will be for the courts to decide. However, damage to these banks’ reputations has already been done.

aml-breaches-are-opportunities-4.jpg

A new age of increasing pressure on banks

Maybe you’ve personally noticed the changes that have happened in banks, or maybe you haven’t. Here’s a real example. A foreign friend of mine legally moved to Estonia from the United States in 2012. At the time, she and her husband easily opened a bank account here in less than 24 hours — before either of their residency cards were finalized. At the time, she and her husband marvelled at how low our bureaucracy was in comparison to their normal experience in the States. In 2017, just a few years later, she wanted to open an account at a different bank. Obviously, having lived here for years with a valid residency permit, she’d assumed it would be just as easy as before. But she discovered it would cost her hundreds of euros and she’d need to fill out a stack of paperwork to even apply. The first process felt like signing up for a store loyalty card, the second process felt more like applying for a weapons permit. Things changed quickly in finance.

That’s just one customer-side anecdote. What about what changed internally for the banks themselves? As of today, each year European banks spend more than €80 billion to stay compliant with current regulations and ensure they follow increasingly stricter know-your-customer requirements. Out of both fear and necessity, banks are asking more and more questions of us — and reporting it all to local supervising authorities, who then do their own checks.

Yet still, the last official UN report found that less than 1% of global money laundering was caught. (6) Which means — unless recent EU regulations have drastically increased our efficacy — fighting criminals with bureaucracy isn’t as efficient as we’d like it to be. It’s a bit like trying to catch a fly with an ax. If you keep throwing the ax in the air, sure, you might catch something in the end. But it might not be quite the right tool.

Don’t get me wrong, though, regulations have helped. But the reality still stands that this method alone isn’t all that efficient — we’ll probably run out of axes at some point. And I doubt taxpayers will be happy to continue footing the bill. We need better solutions.

Don’t despair, though because some promising plans are already being set in motion.

aml-breaches-are-opportunities-5.jpg

There’s hope on the horizon

There are all kinds of new solutions popping up that give great hope.

As an example, at the end of 2019, the Estonian government developed the legal foundations needed to build a common bank accounts registry accessible to the Financial Intelligence Unit (FIU). What exactly will be included is yet to be seen, but the potential is massive. The FIU could quickly get vital information from a central database, rather than taking weeks or months to ask bank after bank for needed info. This could make the life of criminals much tougher. If they want to launder 100k and divide it up into 10 different banks and transactions, claiming each was “proceeds from selling my car,” it’s going to be a lot harder. Because, when the FIU can see everything at once, and fast, then the explanations and accompanying behaviour might no longer add up.

Truth be told, the above is still rather crude and simplistic — criminals are generally far more savvy than that. But something like Estonia’s centralized registry would make the fight against money laundering far more efficient, and crime detection far more likely. At that point, due to the fact that money laundering in Estonia would be way more difficult, many criminals would likely begin to steer clear of the nation of Estonia altogether.

Although we still have a long way to go, our tiny Baltic country’s small steps are increasingly being recognized. According to the Basel AML index of 2019, Estonia was already listed at the bottom in terms of global money laundering risk. (7)

aml-breaches-are-opportunities-6.jpg

Together, we can affect change globally

That was just an example of Estonia. If we’re really serious about fighting this crime pandemic, we need to do it globally. We’ll need to find efficient ways to exchange data across borders while still protecting individual privacy. During the UK’s FCA (Financial Conduct Authority) hackathon, Salv built technology to support exactly this in partnership with Cybernetica’s Sharemind. (8) But to get technology like this in motion, it will take immense, collective support from our regulators, the private sector, and banks themselves to promote and try out new technologies in the fight against money laundering. Thankfully, I’ve already had so many hopeful talks with banks and regulators alike — I can see we’re moving in this direction rapidly.

Wouldn’t it be incredible if authorities receive instant red flags every time there’s reason to suspect actual criminal activity? For example, a bunch of spread out, small transactions that collectively add up to something large with an unusual pattern — once the system notices that pattern, it would alert authorities on its own. A visionary pipedream, I know. But this can only happen if the technology sector takes the lead — anti-money laundering efforts can be made far more efficient without spending billions of taxpayers’ money.

But back to the scandals at hand.

aml-breaches-are-opportunities-7.jpg

Why, in the end, we might be thankful for a crisis

The Patriot Act wouldn’t have happened without 9/11. The new EU regulations wouldn’t have happened without the Crimea Annexation. And there’s a bunch of great things that will follow our current global pandemic we don’t even know yet — already it’s likely this will be the fastest a disease was identified and then a vaccine produced, all because we worked together. It doesn’t make these crises good, but it does help us see that good can come from them.

The same goes for the AML crisis. Few of us would be thinking about fixing deep-rooted systemic issues if we hadn’t been caught up in the midst of all of these negative headlines. True, affected banks still have struggles they’ll need to work through. But it’s quite possible that, without these scandals, so much would be for the worst for us all.

Governments like Estonia’s wouldn’t have moved nearly as fast to create a central registry. New data gathering solutions wouldn’t have come to light to solve deeper problems. The FSA wouldn’t have started strongly suggesting banks to take on a more risk-based approach to its customer checks. And, perhaps, there wouldn’t be new AML technologies like Salv emerging.

I’m hopeful that a new crime fighting ecosystem is emerging from the ashes of these AML scandals. Because, imagine if, as a result of our collective learnings, we were able to stop far more human trafficking, drug cartels, terrorist financing, and illegal weapon trading? I would be proud. And, I’m guessing, so would you.

It’s a challenge worth tackling.

Crime-fightingly yours,

Taavi

CEO & Co-founder at Salv

References
  1. https://www.finextra.com/newsarticle/35189/fs-firms-hit-with-36bn-in-aml-kyc-and-sanctions-fines-since-financial-crisis
  2. https://www.ft.com/content/519ad6ae-bcd8-11e8-94b2-17176fbf93f5
  3. https://www.wsj.com/articles/swedbank-fined-397-million-over-anti-money-laundering-measures-11584650731
  4. https://www.vox.com/2015/6/2/8701499/patriot-act-explain
  5. https://www.bbc.com/news/world-middle-east-26248275
  6. https://www.unodc.org/documents/data-and-analysis/Studies/Illicit_financial_flows_2011_web.pdf
  7. https://www.baselgovernance.org/basel-aml-index/public-ranking
  8. https://www.fca.org.uk/events/techsprints/2019-global-aml-and-financial-crime-techsprint

All references taken 7 March, 2020.

×
ISO/IEC 27001 logo
Aicpa logo
GDPR compliant logo
OWASP logo

We build security to our products and organisation from the start. We use security best practices (incl. ISO 27001, CIS etc.) to ensure that our security management system meets the highest standards.

Salv has an ISO/IEC 27001: 2022 certificate, as well as ISAE 3000 compliant SOC 2 Type 2 report.