The UAE is the Middle East’s leading financial center and a global hub for trade, particularly in gold and precious metals. This large presence within the global financial system makes it a target for financial crime, specifically being a transit point for illicit funds. In the last few years, as part of efforts to further combat this threat, the UAE government has made considerable progress in aligning with global standards on Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF), in large part by improving the robustness of the country’s legislative framework. The government issued Federal Decree Law No. 20 of 2018 designed to enhance the UAE’s effectiveness in identifying and preventing money laundering and terrorist financing, created an executive office to oversee the implementation of the UAE’s national AML/CTF strategy, and established courts specializing in money laundering crimes . With more than AED41 million ($11m) of fines issued by the UAE’s AML task force in the first six months of 2022, the UAE is making significant steps through both legislation and enforcement in order to fight financial crime .
Improving Compliance Programs
With the government’s increased focus on AML/CTF compliance, financial institutions must ensure that they are continually developing and improving their compliance programs. One of the most effective ways to do so is through leveraging the strengths of modern technology disciplines such as advanced analytics and artificial intelligence. There is a multitude of compliance-related areas in which fintech solutions can improve efficiency and outcomes. Examples being:
- Advanced transaction monitoring and network analysis. Traditional transaction monitoring systems use a set of static rules to identify the behavior of money laundering. The challenge with this approach is that complex money laundering patterns may be missed, and a high number of false positive alerts produced which can strain the compliance team’s resources. Advanced transaction monitoring systems use artificial intelligence, machine learning, and network analysis to uncover and identify complex patterns in both transactions and customer relationships that would otherwise be difficult for human analysts to detect. In addition, advanced monitoring systems produce fewer false positive alerts and can give a risk rating to the alerts generated, enabling compliance professionals to review the most pressing cases first.
- Automated customizable sanctions screening. Automated sanctions screening applications allow organizations to screen their customer base and transactions in real time against relevant sanctions lists. This allows compliance professionals to review the alerts generated for possible sanctions hits rather than spend valuable time manually checking each name against each of the chosen sanctions lists. These automated applications also allow for the underlying algorithms and threshold of similarity to be configured in order to match an organization’s risk appetite and reduce the number of false positive alerts produced.
- Streamlined customer due diligence. Traditionally customer due diligence is a time-intensive process whereas the adoption of new technology can significantly reduce this. Advanced analytical applications have been developed to streamline the various phases that make up customer due diligence, from ID verification, negative news screening to checking entity connections, allowing compliance professionals’ time to be better spent elsewhere in the organization.
When implemented correctly, modern fintech solutions form an integral part of an effective and efficient compliance program. In the light of clear benefits to adopting advanced technical solutions to combat financial crime and enhanced regulatory scrutiny in this area, financial institutions (including those in the UAE) are increasingly turning to third-party fintech vendors to build their internal monitoring systems. In the past, it may have been possible for these systems to be built in-house. However, that is no longer the case given the need for specialists in areas such as machine learning and advanced analytics as well as the AML/CTF expertise from compliance professionals.
Third-Party Tools – Mitigate The Risks
Whilst third-party applications can undoubtedly assist financial institutions to implement robust compliance programs, there is a risk of costly issues arising if utilized incorrectly, particularly if the vendor and financial institution have failed to communicate effectively.
A recent example is the Finding of Violation against MidFirst Bank by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) . The violations identified by OFAC ultimately stemmed from miscommunication between MidFirst and a vendor which supplied its sanctions screening software. On September 21, 2020, OFAC designated two individuals as subject to US sanctions by way of their inclusion on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN list). The software utilized by MidFirst failed to raise alerts that these individuals were in the bank’s existing customer base. As a result, MidFirst processed 34 transactions totaling more than $600,000 on behalf of these individuals before the accounts were blocked, 14 days after the individuals were added to the SDN list. These individuals were not flagged earlier because MidFirst misunderstood the scope of the contract it had with its vendor. MidFirst incorrectly believed that the vendor would screen the full customer base daily against changes in the SDN list. The vendor was contracted to conduct daily screenings for new customers and existing customers with updated personal details. Crucially, the vendor was only contracted to screen the entire customer base once a month. This misunderstanding left a gap in the bank’s compliance procedures. An account for a sanctioned customer could be maintained for up to 30 days before it would be flagged as part of the monthly customer base screening.
This is an example of one of many violations by financial institutions around the world due to misunderstandings of the scope of utilized solutions supplied by vendors or miscommunication between the parties as to what the solution implemented by the vendor needs to achieve. Risk management between vendor and financial institution needs to be managed in all phases of the software lifecycle. Relevant considerations for both parties include:
Implementation. Has the application been installed properly? Is the system performing exactly how expected? Has the brief given to the vendor been completely fulfilled by the application installed?
- The risk of inadequate implementation can be managed by ensuring a comprehensive brief is provided by the financial institution to ensure the vendor has all relevant knowledge (including an understanding of how the institution operates) in order to develop and implement software that is tailored to meet the institution’s specific needs. Once implementation is complete, a full audit of the application should be carried out by the institution in conjunction with the vendor in order to identify any issues.
Updates. Are updates vetted before they are applied? Do the updates change the scope of the application?
- As above, communication between the organization and vendor is essential. The impact of updates should be fully understood and agreed by both the compliance and IT departments before being applied and the impact confirmed once applied.
Settings. Has the financial institution been made aware of the impact of changing the application’s settings?
- Many applications, such as automated sanction screening applications, have settings that can be changed in order to reduce the number of alerts produced. Institutions should ensure that they are aware and understand the impact of changing such settings. For example, increasing the ‘similarity’ threshold in a sanctions screening application has the impact of reducing the number of alerts produced. However, the downside of doing so is a risk that true positive matches may be missed if the threshold is set too high. The decision to change the settings of a sanctions screening application is dependent on a number of factors including the organization’s risk appetite and the specific circumstances under which the sanctions lists are to be screened. Any decision must therefore be assessed in the light of these factors.
The examples listed above are just a few of a multitude of scenarios where vendor supplied software can expose a financial institution to risk. Lapses or oversights in software can often lead to financial institutions paying a heavy price from purchasing additional/replacement software to, in a worst-case scenario, facing enforcement action from regulators as a result of compliance failures arising from improper use of software.
One avenue to mitigate the risks outlined above is to engage with independent experts on a regular basis who are experienced in interrogating and assessing the adequacy of compliance applications from an impartial perspective. These experts can identify and advise upon gaps in the functionality of the application and suggest means of improving or adapting the application to suit the individual institution’s specific needs and circumstances. Utilizing external experts mitigates issues likely to arise if conducting a review in-house, such as bias, the available bandwidth of staff and a lack of specific skills and experience.
In short, when utilized correctly, vendor solutions can improve the ability of financial institutions to fight financial crime in an effective and efficient manner. However, financial institutions should not be oblivious of the inherent risks that present themselves when relying upon vendor solutions. It is imperative that thorough risk assessments and performance testing is conducted throughout the lifetime of using the technology, ideally by an independent expert.