Facebook veteran: Banks have big AML blind spot
Money launderers are increasingly taking a back door into banking — through social media platforms, online retailers, games, apps and the sharing economy, a former Facebook executive warns.
Virtual services and payment options offered by the likes of Amazon, Google and Facebook lack sufficient safeguards against financial criminals, who will keep exploiting the vulnerabilities until they are fixed, said Ben Duranske, the chief compliance officer of Facebook Payments from 2010 to 2015.
Banks are caught between their enthusiasm to do business with trending tech companies and their uncertainty about how to deter nontraditional laundering methods, Duranske said. He co-founded a compliance technology company called Beam, which aggregates and shares information about evolving money laundering schemes.
The San Francisco firm recently raised $9 million in new money, including $7 million in seed and Series A funding. In an interview with American Banker, Duranske critiqued anti-money-laundering techniques relied upon by financial institutions, and discussed what changes will be needed as criminal enterprises seek to exploit popular online services.
The following conversation has been edited for length and clarity.
What challenges do banks face in expanding their compliance efforts through technology?
BEN DURANSKE: As an industry we’ve been boxed in by technology. When computers got fast enough to review all transactions, regulators started to expect that’s exactly what banks would do. So as new money laundering schemes, new human trafficking schemes, new terrorist financing schemes’ mechanisms developed, it became incumbent on banks to monitor for all those things. The way they did that was with these huge rule sets, literally something like, if you deposit more than $800 in cash, queue that up for a human to review. If you open up a new account, different from the one you have and with a certain amount of money involved, queue that up for review. If your activity increases more than three times what it was last week, queue it up for a human to review.
Over time, we just added to those rule sets. You went from having 20 or 30 rules to having hundreds of rules, to in cases of larger banks, thousands of rules. All of which were queuing up transactions for humans to review. That involves a lot of humans and a lot of money. It’s expensive to maintain all these people when they are reviewing a huge number of transactions. I think that’s unsustainable in the long run. That’s also in the mind of many bankers, certainly at the larger institutions. So other companies and Beam are looking for ways to more effectively monitor transactions, so that we’re not having people review hundreds of transactions for every one that they find is suspicious.
So where is the complication? It is from the multiplication of data, or the multiplication of rules?
The data is what it is. We have all this data, and it’s incumbent on everyone to take full advantage of it. It’s the processing of that data using a fairly dated mechanism, which is just simple rules, that creates all the false positives, and in many cases, unnecessary human review. So there’s a lot of data, but there are better ways to process it than just simple filters.
But having a human to review has always been presented as the means to determine computerized compliance oversight is being conducted properly.
Humans are a critical part of this and always will be. One of the fundamental principles of what we’re doing is that we don’t think technology is going to replace humans altogether in this scenario. I don’t think it’s possible. The reason for that is the other side of the equation is also human. They are bad guys, and they are creative. They come up with all sorts of interesting ways to launder money and commit criminal activity with finances, including even using nonbanks. One of the more interesting examples of money laundering over the last year is that people were selling nonsense books full of gibberish on Amazon’s print-on-demand service for thousands of dollars, and laundering money through stolen credit cards or other vehicles that way. So people come up with creative ways to misuse the financial system, and you need smart analysts on the other side of that, who are looking for bad activities.
We’re aggregating all of that intelligence across financial institutions. So if you have a smart analyst who discovers some new and interesting way to do something terrible with the financial system, we’re able to translate that across our customer base, so that other analysts at other institutions can learn from it. That’s a very rudimentary way to describe machine learning and artificial intelligence. But AI doesn’t exist in a vacuum; it has to be fed through smart people's analysis. So we’re helping banks’ smart intelligence units get even smarter, and helping smart analysts do their job more efficiently.
You might be familiar with the critical coverage of late regarding Facebook and its human moderators of content. How much can humans do as that quality check, that stopgap?
You’re looking for large events as a threshold. It’s really not interesting to launder $300. It really doesn’t matter from a criminal's perspective; it doesn’t matter from a financial institutions’ perspective. You’re looking for larger trends over time, abnormal behavior and abnormal account activity that rises to the level that a criminal enterprise is doing.
I won’t discuss Facebook specifically, partially because I am an attorney and worked at Facebook in that capacity, but I will say that platform economy companies like Facebook, Google, Apple and Amazon all are moving money from one party to another in some capacity. In all of those cases, people have come up with creative ways to move money for a criminal enterprise back to the owners of that enterprise and make it look clean. That’s true in any games ecosystem where somebody can create a game and then sell the in-app purchases, or a ride-sharing company, an Airbnb; anyplace somebody is offering something, particularly where there aren’t any goods changing hands, but it’s a service or a digital content item where there is no real cost of production associated with it — those are prime platforms for money laundering.
Banks aren’t [applying more scrutiny to these platforms] yet, though they are getting more involved to a greater degree; that economy is a real target for criminal enterprises. Generally it’s monitored less, and generally it’s operated by companies that don’t have a history of dealing with financial crime. Those companies actually make up a lot of our customer base, and I think the future of criminal activity is undoubtedly going to focus on those platforms.
Will that result in some institutions deciding to not bank these businesses?
Very much so. That’s a real trend. The term is "de-risking." And even in businesses that aren’t directly regulated, banks have stepped back from wanting to bank those companies. There are a handful of banks that do, usually at a very high premium.
Do these banks have certain demands that platform companies have to meet?
They do. It’s pretty ad hoc right now. Banks that do this generally will have audit rights into the transactions. But it’s cumbersome and there isn’t a good technological solution for them. They monitor in real time. Sometimes these banks require access to the compliance policies and the ability to contact the compliance department at the platform company, if there even is one. Where we can help banks and their customers is by providing the pipeline to make that happen.
One of the pilots that we’re working on launching right now, we’re working with a bank that specifically wants to get into that business, really bank platform economy companies. The way that they view themselves as being able to do that is by giving themselves a greater window of visibility into the transactions occurring on those platforms. We’re in a position to serve as the data broker between the platform economy companies that have all the transaction information of their customers, and their bank, which has all the compliance obligations. We think that’s a pretty meaningful role for us to play in this financial ecosystem, and one that’s going to expand over time.