After Russian tanks rolled into Ukraine in February, the West responded by imposing a stranglehold of sanctions on Russian President Vladimir Putin and his inner circle. Even Switzerland—a byword for both neutrality and secretive banking practices—said it would freeze the assets of 367 Russian officials, including those of Putin and his prime minister.

Sanctions lists are issued and updated by global government agencies like the US Treasury’s Office of Foreign Assets Control (OFAC) and international bodies like Interpol or the United Nations. These lists identify sanctioned individuals, organizations, or businesses suspected of involvement in fraud, drug trafficking, terrorism, and dictatorships.

For banks that operate in these jurisdictions, screening new and existing customers against sanctions lists is an integral part of onboarding and compliance processes, formalized under a range of know-your-customer, anti-money laundering, and counter-terrorism financing regulations and standards. Firms that don’t get this right run the risk of regulatory fines and reputational damage.

But banks don’t always do a great job of keeping dirty money off their books. In recent years, the work of the International Consortium of Investigative Journalists—the non-profit that published the Panama Papers, the Paradise Papers, and other massive document leaks—has laid bare how wealthy people hide their shady dealings in secretive offshore companies, laundering money, dodging sanctions, and avoiding tax, all with the complicity of banks.

The Fincen Files, a leaked trove of regulatory filings called suspicious activity reports made to the US Treasury’s Financial Crimes Enforcement Network (Fincen), showed how the world’s largest banks, including JP Morgan, HSBC, and Barclays, allowed criminals to launder money and Russian oligarchs to dodge sanctions.

The regulators do levy fines—$10.4 billion in 2020, according to an annual report by client lifecycle management software provider Fenergo. However, a cynic might say that considering 2020 was a bumper year for fines (thanks to penalties related to the massive 1MDB scandal) and that the annual revenue of a large global bank is multiple billion dollars, it benefits banks to turn a blind eye. Under-resourced governments don’t turn up most compliance breaches, and if they do, the resulting fines are peanuts in the grand scheme of things—just the cost of doing business, like a kind of tax.

Those who have worked in compliance roles at banks, however, say that to be fair to banks, KYC/AML are difficult and still largely manual processes, and smart criminals and oligarchs don’t make it easy to track their accounts.

Rachel Woolley is global director of financial crime at Fenergo. But Woolley spent years of her career in various compliance roles at firms including Citi and fund administrator Citco. She says banks’ records are still manual, with account holders’ information often found in PDF documents scattered across silos and geographies. Banks haven’t had the capacity until quite recently to collect this information in a standardized format, drawing it from multiple systems into a central database, where a compliance officer can access the data quickly and identify risks within it or assess exposures to, say, Russian sanctions.

Bad actors don’t make themselves easy to find, either, covering the tracks of dirty money by sending it through shell companies or offshore accounts in jurisdictions that allow anonymous banking. They could employ “layering”: sending money through a series of transactions, often done between shell companies, to create layers between the money and its criminal source.

“A smart criminal isn’t going to use the same methods all the time to launder their proceeds. They’re going to hedge their bets, and use multiple financial institutions, maybe multiple jurisdictions, to evade detection,” Woolley says.

Charles Minutella is global head of customer and third-party risk intelligence at Refinitiv, now a business belonging to the London Stock Exchange Group. Minutella is responsible for Refintiv’s Due Diligence business, and the World-Check risk intelligence database. World-Check is about 20 years old and has around 10,000 customers. It is essentially a database of high-risk individuals that companies, including financial institutions, can use to understand the risks associated with them, to prevent financial crime and money laundering.

“The problem is that you run into a lot of complexity when you start unpacking those entities and individuals because it’s not just them: It’s their associates as individuals, their business interests as entities, it’s all their subsidiaries and affiliates—anything they own 50% or more of an interest in,” Minutella says.

World-Check employs teams of hundreds of researchers who find the links between individuals and their networks of associates or companies in which they have ownership.

“If there are 1,500 names added to sanctions lists across the world, that could mean 15,000 people and entities associated with that. On the surface, AML looks straightforward, but when you begin to unravel it, it’s a complex web of people and companies. We use publicly available information in a variety of languages to be able to stitch that together so that there’s consistency, and so that banks know how to actually apply the data,” Minutella says.

He adds that World-Check saw a 600% increase in initial searches just after the West announced sanctions against Russia, suggesting that financial institutions were checking whether they had associations with any sensitive individuals. The unusual activity has continued with logins increasing by 20% as users log in more frequently to check if the lists are being updated.

Coming earthquake

Meredith Moss, senior director of product solutions at investment solutions provider SEI, says that globally, authorities are going to get stricter on AML.

“This is not just a check-the-box regulation or sets of requirements on the industry. This is about enabling democracies to thrive and preventing autocracies from gaining power,” she says. “The financial services industry is one of the strongest tools to support democracy and to limit the power of authoritarian governments.”

Moss founded client lifecycle management software provider Finomial in 2010. Finomial’s anchor clients were fund administrators, and it looked to automate investor onboarding, including the AML/KYC and due diligence process. Moss sold Finomial to SEI last year.

Moss says that no investment manager or bank wants to have kleptocrats onboard, and firms work hard to make sure they don’t. “But if you don’t have the technology, if you don’t have the data, and you don’t have context for the data, it’s really hard to prevent bad actors from creating accounts and funneling their assets to you,” she says.

Moss says that the US is beefing up its AML laws, while global initiatives like the Automatic Exchange of Information—which shares tax information across borders—are signs that a new era of crackdowns is coming.

“These [initiatives] have really started this shift of the tectonic plates, and the earthquake hasn’t quite made it to the surface. But it’s coming, and firms that aren’t ready to be the masters of their data, and particularly the masters of their most sensitive data, their investor data, will be seen to be part of the problem,” Moss says.

Right now, if anything, enforcement seems to have slackened. In 2021, fines dropped almost by half, according to Fenergo’s latest report, which will be published in April. Admittedly, the year before was exceptional due to 1MDB-related fines. Also, Covid-19 meant that authorities couldn’t conduct their usual on-site visits to compliance departments, which may account for why 2021 was quieter.

But, Minutella says, the general trend of fines seems to be downward. OFAC, which is particularly aggressive when it comes to enforcement, brought 20 public enforcement actions across 13 different sanctions regimes for a total of about $21 million in penalties in 2021. Compare this to the era of record fines about 10 years ago: in 2012, when HSBC was fined a record $1.9 billion for allowing drug cartels to launder massive sums; or in 2014, when BNP Paribas pled guilty to large-scale violations of US sanctions and settled with the Justice Department to the tune of $8.9 billion.

“Have they taken their foot off the pedal with enforcement? I think the numbers would suggest yes. The industry hasn’t gotten better at this. I think we are at a crossroads: the criminals have gotten really good at concealing their identity, and using crypto payments to move money outside of the traditional financial system. The regulation needs to catch up,” Minutella says.

However, it’s true that global authorities are beefing up anti-money laundering defenses, especially in the United States.

In the US, the bedrock of AML regulation was laid down by the Bank Secrecy Act of 1970. The BSA requires banks to develop an AML program—identifying its unique risks, establishing policies, and allowing for regular third-party audits. Banks must detect potential money-laundering activities and report them to the government as suspicious activity reports (the reports that made up most of the Fincen Files document trove). The Patriot Act extended the purview of the BSA to include terror financing.

There had long been bipartisan efforts to modernize these rules, and after the Fincen Files scandal showed their limitations, lawmakers were able to sign into law in early 2021 one of the biggest changes to the US AML regime in two decades with the Corporate Transparency Act.

The act essentially cracks down on anonymous shell companies, creating a registry within the US Treasury to which companies will have to submit beneficial ownership information—similar to the UK’s Companies House registry.

“It’s a mammoth task to overhaul or introduce anything new in the US, so that has been underway for some time,” Woolley says. “But it has certainly accelerated in the last couple of years. The US is overhauling its approach to financial crime, which in some respects was behind the EU and UK.”

The EU has also been looking to overhaul its AML/CTF regime with a package of proposals released in mid-2021. The measures include a harmonized rulebook, and a proposed EU-level body called the Anti-Money Laundering Authority to create a more consistent approach to prosecuting money laundering and terror financing.

In the UK, regulators are starting a slow process of reviewing Companies House, which has little oversight. Perhaps somewhat more convincingly, the FCA is looking to use criminal—as opposed to regulatory—prosecution powers against financial institutions in AML investigations. The FCA was granted these powers in 2007 but only used them for the first time in 2021, in a money-laundering case against NatWest. The bank pled guilty and was fined £265 million ($347.5 million).

Compliance culture

But even without regulatory and reputational incentives to be better at KYC, banks should also embrace the altruistic reasons, Woolley says.

“Financial institutions are sitting on a goldmine of transaction information that could help detect illicit activity, even in some of the most horrific crimes like human trafficking. We need people involved that are determined to identify and act on this activity. And the only way to do that is by having all the information held in a consistent and standardized way so that they can extract that information,” she says.

Getting better at KYC means getting better at data management, she adds.

Fenergo provides client lifecycle tech that enables financial institutions to digitize management of accounts, from prospecting to onboarding, ongoing due diligence, and offboarding. As a result of acquisitions and by setting up overseas subsidiaries, most banks have grown into tech estates of disconnected systems, siloed in product lines. This is a major problem from a KYC perspective, as important client data could be found in spreadsheets or legacy applications that can’t communicate with each other. So what Fenergo partly aims to do is help institutions understand where the most relevant client information is stored, and how that can be consolidated into a single source of customer data.

To keep that data up to date, the platform can consume client information via API from screening databases like World-Check, LexisNexis Risk Solutions, and Bureau van Dijk, alongside information about rules from regulatory experts.

Fenergo was founded in 2008 and has about 90 clients, including Mizuho, State Street, and BMO Capital Markets.

Minutella agrees that banks need both technology and data. But all that is meaningless if they don’t also have the culture within their organizations to take action on that data. Many banks spend millions on KYC/AML and still fall foul of regulators.

In the case of the Fincen Files, for instance, the banks were flagging suspicious activities to Fincen, but once they had done so, had no responsibility under the BSA to take further action and so seemed to feel as if their duty was done.

“If you look at where the incidents have been, they’re typically not failings of uncovering information,” Minutella says. ”If you don’t change the culture, if it’s not a board-level mandate that they are not going to engage in potentially egregious activity, you can spend all the money in the world on technology and data and provide the information [to regulators]. But if the risk decisions aren’t made in the right frame of mind, then we will continue to have these issues.”