Money laundering remains one of the key challenges of the digital age. If you’ve ever worked in compliance or AML, you most likely know the headline statistics. That criminals launder an estimated €4tn every year. That only between 1-2% of this is successfully identified, prosecuted and confiscated. That, if unstopped, this money will go on to fund some of society’s worst ills – including the trafficking of drugs, armaments, even humans.

And you might also know that financial companies spend a staggering €150bn annually to meet compliance expectations, amid a continually evolving regulatory environment. And perhaps you’ve even noticed news or articles on the emergence of game-changing privacy-enhancing technologies that promise to fix the current compliance system and money laundering problem.

So if there seems to be a clear business motivation in place, technological capabilities ready to be utilised, and a regulatory framework to support this – why hasn’t the problem been solved yet?

Are we sure we’re fixing the problem from the right end?

No technology or well-meaning regulation will fix a problem by itself if we start solving this issue from the wrong end. So far the solution attempted, as the whopping figures spent on compliance indicate, is just adding more and more regulations, which in turn means companies are adding more and more people into the system, hoping this will eventually solve AML. Which it hasn’t.

To understand the essence of the problem, let’s take a look at the other side of the frontier – the criminals and how they operate. We know that the majority of big “dirty” money moves through criminal networks, not through sole opportunists trying to outsmart a couple of selected banks. These are big sophisticated networks who possess the latest technology and industry knowledge, moving their illicit fund around and covering their tracks through complex schemes. One of the big “advantages” of those criminal networks is their ability to communicate and collaborate – inside their network, across different networks, across country borders, and ultimately all over the world. They are able to share relevant information among themselves, making the detection of illicit fund movements close to impossible.

Person next to money

Now if we take a look at the other side of the frontier, a completely different picture emerges. Financial institutions are often working in silos, trying to figure out and spot more complex criminal patterns and schemes with only partial information, without the ability to pull together the full picture. And without the ability to efficiently collaborate with other banks.

So if we truly want to tackle money laundering, we need to start by helping financial institutions collaborate and share more FinCrime intelligence. The need for information sharing is as pressing as ever. As long as financial institutions continue to operate in isolation it will be impossible to piece together the evidence required to prosecute sophisticated money laundering schemes. Collaboration – across institutions, across national borders and legal jurisdictions – is required to assemble the necessary intelligence. And ultimately beat a network with a network. Sounds really logical right? But not exactly simple.

AML intelligence sharing is not a radical idea

Intelligence sharing in AML/CTF is not a new idea. FATF, the global standards-setter, has been talking about intelligence sharing for many years. This isn’t a radical idea. This isn’t a novel idea. It’s simply an idea that’s been left in the “too hard” basket for over a decade, with obstacles ranging from data protection, security challenges, or legal uncertainty offered as reasons to prevent its implementation. Information sharing is a solution that has worked for decades in other domains – for example: credit bureaus. The vast majority of countries around the world have found evaluating credit worthiness an essential component of a well-functioning financial system, in fact outside a handful of badly undeveloped or autocratic nations, few operate without them. The execution of an intelligence sharing platform is however where things get complex. That’s no surprise – this is precisely why historically a market-ready solution has not yet emerged. And why although in theory it looks very promising, in practise there are a lot of hurdles on the way.

What makes AML intelligence sharing so complex?

There are a whole variety of complicated, interrelated elements that make FinCrime intelligence sharing challenging. It’s not enough just to change regulations; or to adopt game-changing privacy-enhancing technologies – all of the individual component parts have to be operating in parallel, simultaneously, or the whole thing grinds to a halt. While many groups of crime-fighters have focused extensively on certain areas individually, we need to recognise that it’s how these isolated component parts work together that makes AML intelligence sharing possible.

This has been a chief observation from the past 6-12 months during Salv’s Salv Bridge pilot. So what are the most important parts that need to work together?

Privacy-Enhancing Technologies (PETs): the potential of PETs, as demonstrated in the military or healthcare sectors, is fast becoming apparent for an AML/CTF application as a new technology however performance challenges remain, especially at scale, and integration with existing legacy systems will not be a trivial process.

Data protection regulations: the GDPR offers incredible benefits for European citizens. In theory, it harmonises and clarifies. In practice, it presently still frustrates and confuses financial institutions, as well as financial supervisory authorities and financial intelligence units. This shouldn’t be the case, but until its precepts have been tested in court many stakeholders will remain tentative and risk averse.

Existing AML regulations: thanks to clear high-level guidance from FATF and the European AML directives, what kind of data can be shared, by whom, and with whom is becoming more apparent. When this translates to EU-member level legislation though, often specific guidance is still required.

And this is just the tip of the iceberg. If we go below the surface and work on an individual company level, there is a wide range of areas that need to be covered. Like information security, data quality, IT integration and product development challenges. And then there are all the legal questions and actual contract work that needs to be put in place to make AML intelligence sharing possible among multiple institutions. And to top all off, there is also the public interest and stakeholders relations on different levels inside and outside banks that need to be altered.

It’s a long list of different challenges, which as our Salv Bridge Estonia pilot demonstrated, need to be resolved before the real action starts. It might also be why many of the nationwide AML data sharing initiatives (SAMLIT, AUSTRAC, TMNL to name a few) that start out with a bang, take so many years to get to actual results. We can’t say that it has been a completely smooth ride with the Estonian pilot. But we do see that because we’ve consciously taken a more agile approach, identified and addressed those important areas, it has helped us to move towards the right direction hopefully a lot faster.

So there is clearly hope that things will change, as we’ve witnessed through our Salv Bridge Estonia pilot experience. And it’s not always the headline grabbing areas like cryptographic technology or major AML regulation reform that need to progress, but often less visible issues such as platform integration, or actual contract negotiations that emerge and require infinitely patient teams, at regtechs, at financial institutions, at supervisory bodies, to resolve. Wait for our next blog, where we explain in more detail how we’ve managed to put the vital gears in motion to make AML intelligence sharing happen.

ISO/IEC 27001 logo
Aicpa logo
GDPR compliant logo
OWASP logo

We build security to our products and organisation from the start. We use security best practices (incl. ISO 27001, CIS etc.) to ensure that our security management system meets the highest standards.

Salv has an ISO/IEC 27001: 2022 certificate, as well as ISAE 3000 compliant SOC 2 Type 2 report.