Case Study: Financial Crime and Fraud

After completing this reading, you should be able to:

• Describe elements of a control framework to manage financial fraud and money laundering risk.
• Summarize the regulatory findings and describe the lessons learned from the USAA case study.

This chapter discusses fraud and financial crime risk management in different forms: fraud, money laundering, and terrorism financing.

Internal and external fraud are common types of operational risk banks managed long before the introduction of ORM. Non-financial risk management comprises anti-money laundering (AML) and counter-terrorism financing (CTF). These two are responsible for effective control against the risk of terrorism and money laundering.

Definition of Financial Crime

According to the Financial Conduct Authority’s (FCA) Handbook of the UK, financial crime refers to “any kind of criminal conduct relating to money or to financial services or markets, including any offense involving: fraud or dishonesty; or misconduct in, or misuse of information relating to, a financial market; or handling the proceeds of crime; or the financing of terrorism.“

Financial crime comprises internal and external fraud, money laundering, and terrorism financing.

Internal Fraud: According to BCBS, internal fraud refers to “losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one internal party.”

Internal fraud can be of two types: “unauthorized activities” and “theft and fraud.” “Unauthorized activities” may lead to loss of money in an organization. Indeed, it includes any intentional violation of the law or internal policies perpetrated by a firm’s employees. Examples of unauthorized activities under the Basel event type classification include intentional non-reporting of transactions, mismarking trading positions, or the execution of unauthorized transaction types. Passwords, disclosure of confidential information, or the mis-selling of financial products to vulnerable clients are also examples of unauthorized activities.

On the other hand, “theft and fraud” involve the misappropriation of assets, such as extortion, embezzlement, malicious destruction of assets, bribery, and tax evasion.

External Fraud: According to BCBS, external fraud refers to losses due to acts of a type intended to defraud, misappropriate property or circumvent the law by a third party.

The subcategories of external fraud are “theft and fraud” and “systems security,” which involves hacking damage and theft of information. “Systems security” is particularly becoming prominent as a result of the increasing digitalization of financial services. Since about a decade ago, cyber and information risk management has also evolved into a specialized branch of operational risk management, sometimes called information security risk management (ISR).

Recent studies show that the COVID-19 pandemic has increased (by more than two times) the banks’ exposure to internal and external fraud. The work-from-home program particularly led to an increase in fraudulent wire transfers and email scams.

Definition of Anti-money Laundering (AML) and Terrorism Financing (TF)

Different countries may have different laws against money laundering and terrorism financing. In this section, however, we use the definition of the European Union. On May 20, 2015, the European Parliament and Council issued a directive to prevent the use of the financial system for money laundering or terrorist financing. According to article 1 of this directive, money laundering involves any of the following:

1. Knowingly converting or transferring property derived from criminal activity in order to disguise the illicit origin of the property or to assist someone involved in such an activity to evade the legal consequences of their actions.
2. The disguise of the true nature, source, location, disposition, movement, or ownership rights of property derived from criminal activity or participation in criminal activity knowingly.
3. Acquiring, possessing, or using property, knowing, at the time of ownership, that the property had been obtained through criminal activity.
4. Associating with, participating in, committing, attempting to commit, as well as aiding, assisting, facilitating, and counseling the commission of any of the actions listed in points (i), (ii), and (iii).

The IMF defines terrorism financing as the provision or collection of funds to be used, partly or in full, to facilitate any offense considered by the authorities as a terrorism act.

Financial Crime Risk Management

This section will review the prevention and mitigation of internal fraud and anti-money laundering practices.

Internal Fraud Management

Historically, the internal audit department was responsible for managing internal and external fraud for banks. Some banks used to have “inspections,” which were orchestrated by a subdivision of the internal audit responsible for detecting, monitoring, and reporting fraud.

In their risk appetite framework, most firms state that they have zero tolerance for internal fraud.

The figure below presents a framework of controls and measures to mitigate internal fraud risks. The framework presented below consists of four components:

1. Selection: Involves screening of employees and associated third parties. The organization’s culture is also considered in this step. When firms employ people who share the same values and ethical standards, it is easier for the firms to manage such employees. Selection is also an important mitigation mechanism in AML and third-party risk management.
2. Prevention: The key controls for fraud prevention are found in this step. The rights, authority, and access of each function must be clearly defined in order to manage fraud risk effectively.
3. Detection: Time to detection is critical in limiting the effects of an operational risk event. Detective controls are essential in internal fraud management and act as a deterrent as well: Fraud is least likely to happen if the consequences are severe. Effective supervision and monitoring help to limit internal fraud.
4. Deterrents: These are sanctions and actions announced following any act of fraud. Deterrents also disincentivize employees to commit fraud, thus promoting the risk-reward balance.  

External Fraud Management

External fraud management shares many of the aspects of internal fraud management. The point of departure is that external fraud management focuses on bad external actors.

Bank robbery, check kiting, fraudulent wire transfers, credit card fraud, and identity theft are examples of external fraud. Misrepresentations of income, assets, and collateral values in loan applications are also classified as fraudulent by most institutions. It is sometimes necessary to subdivide external fraud into first-party and third-party fraud. This helps distinguish between fraud customers commit or those a business partner commits for their own benefit from fraud committed by an external actor, which may affect both the bank and the customer.

It is, therefore, necessary for special teams to manage the different types and actors of external fraud. For example, ensuring security is in place to secure the buildings and assets of the financial institution against robbery. Banks also work with local authorities to handle such issues whenever they occur.

AML Risk Management

It is common for criminals to disguise the proceeds of their criminal activities into legitimate sources of funds in two or three phases. The following are the three phases of money laundering:

1. Placement: Involves all methods intended to disguise the origins of the funds: cash transfer to business, false invoicing, use of trusts and offshore companies, “smurfing” (keeping a bank account or credit card under the AML reporting threshold by making a series of small transactions rather than a single large transaction), using foreign bank accounts, etc.
2. Layering: Involves different placement and extraction strategies to make tracking transactions as difficult as possible and circumvent AML controls.
3. Integration or extraction: Involves getting the money out to use while evading taxes and law enforcement through activities such as fake payments to employees, fake loans, or dividends to accomplices.

The figure below presents key risk mitigation measures for AML.

Most importantly, customers should be selected appropriately and their documents properly scrutinized and verified (KYC, known as know your customer). Banks should also verify the origins of funds before embarking on any business transactions to ensure that these funds are not linked to any fraudulent activities.

Regulators recommend a risk-based approach to AML risk management. That is, the higher the risks, the tighter the controls, and vice versa. Customers are categorized as low, medium, or high risk based on associated risk factors which are used as monitoring criteria.

Firms should have robust governance and a prudent money laundering risk officer (MLRO) responsible for the management of AML. In addition, establishing written policies, training employees, and thorough reviews can also contribute to effective AML risk management.

The Regulatory Findings and Lessons Learned from the USAA Case Study

Financial Crime Controls at UK Challenger Banks

In its 2022 report, the FCA examines financial crime controls at challenger banks, which are fully digital and offer customers the ability to open accounts very quickly. According to FCA, there is a risk that accounts opening information is insufficient to identify higher-risk customers. The following are some key findings highlighted by UK regulators:

• The reviews revealed some evidence of good practice, e.g., the application of technology in identifying and verifying customers quickly.
• However, a number of weaknesses were found, which increased the risk of financial crime during the customer onboarding process and during the customer’s tenure with the bank. In order to address the weaknesses highlighted, challenger banks should adjust their risk management strategies.
• The FCA recommends a risk-based approach to AML risk management characterized by continuous monitoring of controls to ensure they are fit for purpose in light of some challenger banks’ high growth rates.
• Weaknesses were also found in both customer due diligence (CDD) and the consistent application of EDD (enhanced due diligence) in some banks, for example, in the case of PEPs (politically exposed persons). A well-established customer risk assessment is needed to address these weaknesses.
• Among other weaknesses, inconsistent or inadequate rationales for ignoring transaction monitoring alerts were identified.
• According to the UK regulator, challenger banks should adjust their oversight and control frameworks as their business models evolve and grow.

Case Study: USAA

According to the banking and compliance press, the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) fined USAA Federal Savings Bank (FSB) $140 million for failing to implement and maintain a BSA/AML compliance program.

Deficiencies pointed out include inadequate internal controls; detection, evaluation, and reporting of suspicious activity; staffing; training, and third-party risk management, as well as significantly understaffed BSA/AML compliance departments.

This is a common practice in banking, especially when many workloads are coupled with tight deadlines. However, USAA failed to train or ensure contractors had the necessary qualifications, worsening the situation.

It has been reported that the new transaction monitoring system implemented by USAA FSB is “too sensitive and generates an unmanageable number of alerts and cases.”

An important lesson from this case is that heavy regulatory fines do not occur by accident: They result from accumulating failures and procrastinating about implementing the necessary changes to meet regulatory requirements. Due to the difficulty and discomfort associated with transformations, most firms delay implementing changes in response to regulatory findings until the last minute. This may be too late, as in the case of USAA.

A weak control environment can attract fines by regulators anywhere in the world, as has happened in the US, UK, and Asia. In Asia, for example, regulators charged banks fines totaling $5.1 billion for failing to comply with AML laws.

Banks are required to review, verify, and report suspicious activity in response to regulatory findings and sanctions. An AML risk management framework should incorporate technology and automation for detection and alerts as well as proper recording of false positives and false negatives. Moreover, the COVID-19 pandemic changed customer and business behavior, particularly with the rise of remote transactions, which makes it more difficult for financial institutions to detect anomalies. Fraud risk management and AML are constantly changing as new opportunities present themselves for fraudsters in new economic and business environments.

Practice Question

Given the lessons from the USAA FSB case, which of the following best represents a key consideration for financial institutions seeking to maintain a robust AML program?

A. Employing third-party contractors inherently improves AML monitoring capabilities. B. Rapid account growth is a valid justification for non-compliance with AML standards.

C. Introducing new transaction monitoring systems, regardless of their sensitivity, will always enhance AML compliance.

D. Instituting adequate controls is crucial, especially when using automated detection systems, to manage the volume of alerts and ensure they do not produce an overwhelming number of false positives or false negatives.

Solution

The correct answer is D.

The USAA FSB case clearly illustrates the importance of having adequate controls, particularly when utilizing automated detection systems. The challenge that the bank faced with 90,000 unreviewed alerts and nearly 7,000 unreviewed cases was primarily due to their newly introduced transaction monitoring system being overly sensitive. This emphasizes that while automation can aid in detecting potential AML violations, it’s critical to ensure that these systems are well-calibrated to manage the number of alerts and minimize false positives and negatives.

A is incorrect because simply employing third-party contractors does not guarantee improved AML monitoring. In the case of USAA FSB, they utilized third-party contractors due to staffing shortages but failed to train them adequately in AML compliance matters, which compounded their problems.

B is incorrect because rapid account growth should never be an excuse for non-compliance with AML standards. Financial institutions must scale their compliance programs in tandem with their growth to ensure they continue to meet all regulatory requirements.

C is incorrect as the case demonstrates that merely introducing new transaction monitoring systems does not guarantee improved AML compliance. The new system at USAA FSB was overly sensitive, producing an excessive number of alerts that overwhelmed their compliance processes. This highlights the importance of ensuring that any new system introduced is properly calibrated and tested to suit the institution’s needs.

Things to Remember

• Automation isn’t flawless: The USAA FSB case underscores the importance of calibrating automated detection systems. While they can be powerful tools, they must be optimized to avoid excessive false positives and negatives.
• Quality over quantity: It’s not about the number of alerts but their quality. An overwhelming number of alerts, if not actionable, can hamper the efficiency of an AML program.
• Training is key: Even with third-party assistance, training is paramount. Outsourcing without ensuring the contractors’ understanding of AML can exacerbate compliance issues.
• Scalability with compliance: Rapid growth of accounts or transactions requires scalable compliance mechanisms. Growth should never be a reason for AML non-compliance.
• System implementation needs oversight: Introducing new monitoring systems requires thorough testing and calibration, ensuring they are tailored to the institution’s specific requirements and challenges.