Share this article on:
With internet companies increasingly vulnerable to opportunistic cyber criminals, Douglas Wolfson, director, financial crime compliance at LexisNexis Risk Solutions, offers insight into the safeguards available to bolster digital defences.
Criminals are endlessly innovative. When one door closes, they look for another. In the international fight against financial crime, regulators have prompted traditional banks to steadily tighten their compliance programs.
Criminals are looking elsewhere – and internet platforms such as gaming, e-commerce, social media and live streaming where large amounts of money circulate anonymously are an appealing target.
The online world is an easy place to hide your identity and large amounts of money routinely change hands for opaque purposes. Take for example online gaming platforms, where players routinely pay for in-game options or credits.
These non-transparent transactions provide a legitimate explanation for anyone who wants to hide the source of a large amount of money. Live streaming, where celebrities and influencers receive gifts or sell products, is another appealing option for money launderers. A series of fake accounts acts as a conduit for money transfers that are difficult to track.
These are large and fast-growing markets which have been given an extra boost during the COVID-19 pandemic. The online gaming industry is growing by around 9 per cent a year and is expected to be worth more than US$250 billion by 2025, while live streaming hours watched soared by 99 per cent in 2020.
The growth of digital channels and the huge potential for financial crime through them is drawing the attention of regulators around the world. This has significant implications for internet companies, who may not have the compliance focus and experience in place to deal with the increase in transactions, and with this, the increase in opportunities for money laundering.
Regulators are watching
Regulator action and scrutiny around sanctions has steadily increased in recent years. The Accuity Sanctions Pulse shows that three of the major regulators – the US Office of Foreign Assets Control (OFAC), the European Union and the United Nations – updated their sanctions lists 210 times in 2020.
Sanctions-related fines issued by OFAC alone exceeded $1.3 billion in 2019. Other countries are also increasing their sanctions activity; in September 2020 China’s Ministry of Commerce announced proposals to introduce an Unreliable Entity List regime.
The financial services sector was initially the focus for regulators’ attention, but sanctions risk can touch any business. Any entity that deals with US dollar payments, for example, will come under OFAC’s spotlight.
More than 300 OFAC-sanctioned entities are based in Asia but more importantly, most foreign exchange transactions involve a dollar conversion at some stage. That means that OFAC will take an interest.
Regulators have widened their scope more recently. The Financial Action Task Force (FATF) specified in 2020 that its recommendations should apply to non-financial businesses and professions with a high risk of money laundering – including virtual currency custodian wallet services and crypto-fiat exchanges.
The FATF recently issued standards designed to prevent the misuse of virtual assets for money laundering and terrorist financing, which effectively means that virtual asset and asset service providers must adopt the same risk-based approach to anti money laundering and counter terrorist financing that applies to financial institutions.
Individual regulators in Asia are following suit. The Monetary Authority of Singapore, for example, introduced its Payment Services Act in 2020 to better regulate the cryptocurrency sector and amended the Act in 2021 to reflect developments in digital payment token activities.
Regulators are not afraid to act. Two major internet companies have been issued penalties by OFAC for sanctions violations in the past two years as a result of deficiencies in their in-house sanctions screening systems. The breaches were self-reported and the fines were small but the cases have highlighted the regulatory, financial and reputational risk that internet platforms could face.
Internet companies need their own defences
Traditional banks and internet platforms are, in reality, close partners. Irrespective of how transactions are generated, they are inevitably routed through banks. Internet companies are some of the most important customers for the ‘traditional’ banking sector.
This matters because regulators have made banks the gatekeepers in the international fight against financial crime and banks increasingly see non-financial companies as one of their most significant areas of sanctions risk.
Our research found that a quarter of all suspicious activity reports generated by banks involved a non-bank payment provider.
Banks carry out sophisticated sanctions screening – but in a world where criminals are constantly looking for weaknesses, can internet companies continue to rely on banks to be their main line of defence?
The answer is categorically no. The direction of movement from regulators is clear; internet companies must quickly take steps to strengthen their own defences.
The challenge for these businesses is putting a sanctions compliance program in place that manages and minimises the risk of financial crime in a way that preserves the customer experience – the unique selling point for internet companies.
Creating a robust compliance system
There is no doubt that internet companies face unique challenges around compliance and most significantly the anonymity of the online world. Internet platforms are accessible by anyone from anywhere. But given the sophisticated technology-based solutions available on the market, setting up robust defences need not be difficult or complex.
The good news is that internet companies have a distinct advantage over the traditional banking sector when it comes to financial crime compliance:
There are some areas where internet companies are at a disadvantage. Most notably they have little direct experience of financial crime compliance but generally, implementing customer onboarding and monitoring systems is a straightforward process.
Six steps to seamless compliance
A compliance program should be designed to match the specific risks that each company faces. Some geographies, products and customers (such as high net worth individuals or shell companies) are riskier than others but the common thread underpinning successful compliance is automation. Financial crime screening solutions introduce robust and rapid screening checks through a series of seamless straight-through-processing steps:
This approach means that alerts are only raised on an exception basis, reducing the amount of time and effort spent on manually checking false positive alerts. The result is a system that maintains a smooth and responsive customer experience but minimises risk for the company and keeps internet companies one step ahead of the criminals.
Douglas Wolfson is director, financial crime compliance, LexisNexis Risk Solutions.