ECL – Editor’s Choice

ECL - Editor's Choice

Sachlich, hinterfragend, konstruktiv und erfrischend: In unserer Rubrik ECL – Editor’s Choice stellen wir für Sie Beiträge von Vordenkern und Vertretern der neuen Generation potenzieller Compliance-Experten zusammen.

Factual, questioning, constructive and refreshing: In our format ECL – Editor’s Choice we compile for you articles written by Thought Leaders and representatives of the new generation of potential Compliance Experts.

Be inspired!


Breaking the engine of crime

Suspicious Activity Reports (SARs) are the lifeblood of many a criminal investigation. Timely and accurate reports submitted by financial institutions reveal links and uncover wrongdoing that, if not checked, has the capacity to destroy lives all over the world. For states in the EU, a SAR regime is a must. Yet all is not well. Europol, the international police agency, has called for reform of the current arrangements.

Europol’s report[1] makes for fascinating and terrifying reading. Financial Institutions and national Financial Intelligence Units (FIUs) have, since its publication in 2017, already begun to tackle some of the issues raised.

1: Efficiency

Millions of SARs are filed every year across the EU but only about 10 per cent are ever investigated and less than one per cent of the criminal proceeds confiscated. From the criminal perspective, money laundering is a low detection and prosecution crime

2: Defensive filing

The majority of SARs filed across the EU are defensive in nature and come from just two countries: the UK and the Netherlands. These are filed by institutions covering themselves against possible prosecution, rather than passing on intelligence.

The UK has recognised the severity of this problem and has recently pledged about £3.5million to redesign the SAR regime and boost both technology and human resources at Companies House, the agency responsible for company registration.

3: Deposing the cash king

The majority of the SARs filed pertain to cash deposits, withdrawals and transfers. Cash is still king in the criminal world, and the SARs created are vital – but they report on activity in the low end of the criminal value chain. Cash SARS identify the runners who structure funds and are far removed from the ultimate beneficial owners.

These three problems, combined, mean that the indicators of crimes that cause the biggest harm to our societies are underreported. Cyber crime is predicted to generate $6 trillion for criminals by 2020 – outstripping the sale of illicit drugs. Mind you, human trafficking is overtaking drug dealing – and a third of the victims are children, who generate the greatest return for traffickers. Corruption – specifically corrupt officials – continues to deprive countries of billions of dollars’ worth of much-needed income. This disproportionately affects emerging economies.

But there’s also a compounding issue. Banking innovation is ramping up thanks to Open Banking and other initiatives. More and more organisations are performing roles that, until now, were the domain of financial institutions.

One example is Mexican startup AIRTM, a peer to peer cryptocurrency. Using AIRTM, it’s possible to convert any currency into another currency or value. Users can deposit money using a typical banking service, but also with store cards, gift cards, pre-paid cards, cash and cryptocurrency. That value can then be transferred and withdrawn almost anywhere by anyone the value is transferred to in almost any currency – around 200 are currently available. AIRTM is registered as an MSB and complies with the AML regulations, and so it files SARs. Four years ago, it didn’t even exist as a business, let alone a reporting entity.

This company is just an example of many fintechs –growing in number and scale rapidly. Open Banking regulations such as PSD2 regulation speeds that innovation- and it also means they’re filing SARs. And that presents a further challenge for SAR authorities.

Meanwhile, criminal groups are far freer to go about their business. SAR regimes operate on national and regional levels, but organised crime operates across borders. Using networks built on trust and intensive vetting of members, they don’t face the same problems sharing intelligence, skills or resources.

There is a response: Project protect in Canada is one example, and the Joint Money Laundering Intelligence Task Force (JMLIT) in the UK is another. Across the EU, the Fifth AML Directive (5AMLD) mandates better information sharing, with technology at the core.

What can financial institutions do?

The problem remains that the volume of reports is high – and getting higher. Removing false positives is a start for most financial institutions, followed by improving the quality of reports filed to make them more effective.

As the Europol report says: “Even very small changes in the algorithms behind these automatic systems can dramatically affect the number of reports filed, both positively and negatively.”

Some banks already use transaction filtering with a small set of extra context-driven rules to reduce the number of false positive reports they get – and that can help reduce the number of defensive SARs. Note that filtering and rules is not the same as a machine learning exercise.

Banks following this process reported a reduction of close to 60% and in some cases even 90%. Imagine the joy of your investigators and the massive difference it gives on the volume and quality of reporting.

The second thing banks can do to is improved reporting to reduce the low proportion of SARs that are investigated; in part, more accurate reports will be generated by the transaction filtering approach above, but this can be really kicked into high gear by building a smarter, faster and intelligence-led reporting regime. This can only happen if institutions are able and willing to share more information, not just with regulators but with peers and industry groups. Advanced analytics programs running across the sector can connect the dots of behaviour and interactions that provide evidence of criminal behaviour.

The output is something that’s regularly talked about but rarely delivered: Super SARs. The technology exists today to facilitate secure and encrypted information sharing between all the participants responsible for preventing money laundering. But the will has to be there – and the technology has to be easy to upgrade and cost-effective, not least because its successful employment will inevitably lead to criminals changing their tactics.

About the Author: Mariola Marzouk

Mariola Marzouk, Global Head of Financial Crime and Fraud Insights at BAE Systems, is responsible for addressing customers’ business challenges. Her primary focus is to be the ‘eyes and ears’ of the market, generating actionable intelligence to ensure a proactive approach to mitigating risks faced by financial institutions and law enforcement. Mariola developed a deep passion for Financial Crime and Fraud prevention during her Forensic Accounting MSc studies and ACAMS certification. Her role within the Market and Product Strategy team allows exposure to the results of cyber and financial crime convergence across many industries at a global level.She has over nine years of Market and Strategic Insights experience within the technology industry spanning across M&A, Fast Moving Consumer Goods and the Financial Sector.

[1] https://www.europol.europa.eu/publications-documents/suspicion-to-action-converting-financial-intelligence-greater-operational-impact


Auf den Spuren von GRC – Ein Kommentar mit Augenzwinkern

Ökonomisches Prinzip, maximaler Nutzen, Effizienz, Effektivität – das Streben des Homo oeconomicus, das Streben des wirtschaftlich rationalen Teils menschlichen Daseins. Ihm sind Errungenschaften wie Integrierte Management Systeme (IMS) und dessen Abkömmlinge wie Total Quality Management (TQM), Enterprise Risk Management (ERM) und der vielenorts angepriesene „Heilsbringer“ jedes Unternehmensleiters namens Governance Risk and Compliance (GRC) zu verdanken.

Ein hocheffizientes Managementsystem, das eine nachhaltige Unternehmensführung ermöglicht, klingt gut und wäre es auch, würde es eine faktische Umsetzung und nicht nur bloße Phrasendrescherei über Wertschöpfung, Effizienz, Effektivität, Ganzheitlichkeit und Integration erfahren. Die Umsetzung ist möglicherweise nicht zuletzt deshalb so verzwickt, weil GRC schwer zu greifen ist. Nach jedem Fachartikel, nach jeder Podiumsdiskussion, nach jedem Fachvortrag stellt man sich meist erneut die Frage, was denn nun GRC im Konkreten sei – dabei führt Rekapitulation oftmals zur Kapitulation.

Vielleicht ist GRC auch einfach nur ein Schritt zurück in die richtige Richtung?

Krisen- und skandalgetriebener Reaktionismus sowie das eine oder andere Gerichtsurteil haben zu einer Art „kambrischen Compliance-Explosion“ geführt. Anorganisch gewachsene Compliance-Organisationen müssen nun, nachdem doch die ein oder andere davon aus dem Nichts erschaffen wurde, ihren Weg zurück zum Business finden. Das ist gut so! Nur auf diese Weise kann Compliance das Geschäft unterstützen, Akzeptanz hinzugewinnen und so der Gefahr entweichen, irgendwann als bloße Modeerscheinung in die Bedeutungslosigkeit abzudriften. Alle Bemühungen, die Tugenden des ehrbaren Kaufmanns mit dem tüchtigen Homo oeconomicus zu verbinden, wären vergebens.

Nur beschränkt sich die anscheinend endlose Selbstfindung von GRC längst nicht mehr auf die ominöse „Integration“ von Risikomanagement und Compliance. Neben der Internen Revision und dem Internen Kontrollsystem (IKS), welche man nach Belieben ebenfalls unter das Risikomanagement subsummieren mag, werden auch Qualitätsmanagement, Controlling, Unternehmenssicherheit sowie eine Dunkelziffer weiterer Funktionen kurzerhand in den GRC-Topf geworfen. Dennoch oder vielleicht gerade deshalb kommt man nicht zu „Potte“.

Die Diskussionen um GRC scheinen sich aus neutraler Perspektive im Kreis zu bewegen. Sie kreisen in einem Orbit um den Kern der Debatte: die (Auf-)Forderung nach einer verbesserten Zusammenarbeit zwischen Governance-Funktionen zum Wohle des Unternehmens und seiner Stakeholder. Wem die konkrete aufbau- und ablauforganisatorisch manifestierte Umsetzung dieser Zusammenarbeit glückt und damit GRC greifbar macht, dürfte auch jetzt noch als Pionier gelten.

Über den Autor: Manuel Treiterer, LL.B.
Manuel Treiterer ist studierter Wirtschaftsjurist (LL.B.). Im Rahmen seines Studiums absolvierte er Praktika in Stabsfunktionen zweier Großkonzerne der Automobilindustrie sowie bei einer Anwaltskanzlei und einer Rechtsberatung für Compliance Management. Aktuell studiert Herr Treiterer Legal Management (LL.M.) an der HTWG Konstanz und verantwortet darüber hinaus verschiedene Projekte beim Compliance Channel.