The new year began with a flurry of news that's just a sample of the crimes that financial institutions must help battle.
Nasdaq reported in early January that there were $3.1 trillion in illegal transactions made in 2023. More than $800 billion was connected to drug trafficking, $350 billion was tied to human trafficking and $11 billion from terrorism. Another $500 billion was lost to fraud.
Less than two weeks later, at the beginning of February, the Financial Crimes Enforcement Network issued an advisory against illegal financing being used to fund Israeli extremists that the U.S. had sanctioned for targeting Palestinians. That came at nearly the same time as the Anti-Defamation League warned of anti-Israeli extremists using cryptocurrency to fund terrorist operations. And in late January, new U.S. sanctions were issued against Russian interests connected to the country's two-year-old war against Ukraine.
In short, financial institutions' job of preventing money laundering and other illicit money movement is getting harder as they work to comply with U.S. sanctions against countries and parties the government has connected to such activities.
That challenge includes a fast-changing regulatory environment, underserved risk management staffs and evolving technology that can benefit and hurt both sides in the fight.
Sixty-nine percent of executives say financial crime risk will increase over the next year, according to research from Kroll, which also reported that 66% of firms plan to boost security spending to combat the threat.
The increased investments will go toward mitigating illegal payments, complying with U.S. sanctions and rules fighting money laundering or halting the use of otherwise legitimate financial infrastructure to fund illegal activity.
Money laundering regularly reaches 5% of global GDP, according to research from technology firm Persona. Financial institutions of all sizes have recently been hit with fines tied to AML lapses. Wells Fargo, for example, was fined a total of about $98 million in 2023 after U.S. regulators said the bank had insufficient AML compliance due to trade finance software that dated to a system at Wachovia. Wells Fargo acquired Wachovia more than a decade ago.
In another instance, later in 2023, Oscar Marcel Nunez-Flores, a staffer at an unnamed bank, was arrested by New Jersey authorities for accepting bribes to enable millions of dollars in laundering. In December, Fincen issued a consent order against Gyanendra Kumar Asre, a former employee at the now defunct New York State Employees' Federal Credit Union. Regulators said Asre was connected to an operation that transferred $1 billion in Mexican funds to electronic deposits using the credit union's master account with the Federal Reserve.
In late January, the Federal Reserve and New York State Department of Financial Services issued an enforcement action and levied $32 million in fines against the Industrial and Commercial Bank of China. That was in connection with allegations that the institution had inadequate anti-money-laundering controls.
While the case did not involve a bank, the Department of Justice in November fined crypto firm Binance Holdings $4 billion after the firm and its CEO, Changpeng Zhao, admitted to not maintaining an effective AML program.
"Financial institutions are reeling. They need to get better at transaction monitoring," said Marc Trepanier, a fraud consultant at payments and financial technology company ACI Worldwide. "AML is not the fastest moving industry."
More digital, more problems
Money laundering has existed for decades, as has the patchwork of international rules that govern corporate responsibility for preventing criminals from using the financial system to their benefit. Most countries have rules, generally referred to as "know your customer" or KYC, that require firms to vet clients and other third parties to ensure they're not doing business with a nefarious entity.
But today, more money is moving electronically and transactions are being processed faster than ever before. That leaves less time for risk professionals to spot red flags that could signal payments being made on behalf of criminals.
The number of digital payments passed $10 trillion for the first time in 2023, according to Statista, which counted mobile point of sale, digital transfers and other forms of e-commerce. That compares to about $3.5 trillion in 2017 and sets a pace to pass $11.5 trillion in 2024 and $16.6 trillion by 2028.
"AML is harder now than it was six or seven years ago. A big part of that is the world is more digital and more connected," said Adam McLaughlin, global head of AML strategy for Nice Actimize, a risk and compliance firm.
As the parties involved in financial transactions expand to include more digital firms, fintech apps and social networks, adhering to know-your-customer rules becomes more complicated, according to Daniela Hawkins, managing principal at the consulting firm Capco.
Take social networks, for instance. These platforms are often subject to controversies including hostile political speech, privacy lapses and security breaches.
But they have also become more active in the payments space over the past few years. Meta Labs, formerly known as Facebook, was affiliated with Diem, a stablecoin that failed under regulatory and economic pressure. Meta has also introduced a "pay button" that enables consumers to choose Meta as a payment option on e-commerce sites.
Meta also has several other products related to payments and financial services. Elon Musk has promised to add payments and other financial services to X, the social media platform formerly known as Twitter that he acquired in 2022.
Meta and X did not provide comments for this story.
Social media networks present unique challenges when it comes to knowing their customers. Users can operate under fake names, profile pictures and biographies, for instance. And social media platforms do not have the same regulations as banks.
"How do [social networks] know they are dealing with a person who has a real address and is a real person?" Hawkins asked.
There are other venues for laundering that can be difficult to spot.
Unused gift card funds, for example, are one avenue that crooks utilize because of the anonymity and the high amount of unused money that resides on cards. In effect, gift cards are prepaid cards that are difficult to trace because the only record is a receipt for a purchase — which is not tied to a specific consumer. The party that purchased the gift card is not necessarily the user who then spends the money. Criminals can use gift cards as part of a scheme to steal funds for purchases on e-commerce sites, travel or to fund other illegal activities.
Additionally, there is about $21 billion in unspent funds on gift cards in the U.S., according to CNN, citing research from Credit Summit. That represents potential money criminals can steal to fund illicit activity, often without consumers ever knowing the money has been taken.
"There's billions of dollars sitting on gift cards that people don't know about," Hawkins said.
Sanctions war
Crooks disguise the funding for their crimes by using legitimate rails, such as banks, fintechs, cryptocurrency or other organizations that move money for illegitimate purposes — posing reputational and legal risk for those organizations.
That's part of what can make it difficult for financial institutions to catch and prevent criminal activity.
To comply with AML standards, banks have to follow the Bank Secrecy Act, and fintechs have to follow similar rules, according to the Texas A&M Law School.
These rules, which date to the early 1970s and are regularly updated, generally require financial institutions to keep records of payments in high amounts and file reports on activity that may be useful for criminal, tax or other regulatory matters.
U.S. bank regulators, such as Fincen, use this information to work with domestic and international law enforcement to spot and combat money laundering and related crimes, such as terrorism, drug or human trafficking and other forms of bank fraud. The BSA also requires financial institutions to file reports of cash transactions exceeding $10,000 in daily aggregate amount.
In the past two years, complying with these rules has meant avoiding doing business with Russian banks, oligarchs and other parties tied to Russia's invasion of Ukraine. More recently, the U.S. has sanctioned organizations tied to the war in the Middle East.
"For the West, the wars in Gaza and Ukraine are being waged largely through sanctions, and that requires compliance and third-party risk," said Joe Robinson, CEO of Hummingbird, a company that develops technology that combats financial crime.
The recent incidents Hummingbird has investigated include funding used for human trafficking and drug sales, along with alleged terrorism financing. A typical financial institution investigates up to 25 potential cases per week, according to Robinson.
"Most of the time it's a normal thing, but not an illegal issue," he said, adding the quality of data sourcing is key to spotting an actual crime versus a false positive.
In response to Russia's invasion of Ukraine in February 2022, most Western countries have imposed sanctions on banks and other companies that are operating inside Russia or do business with Russian interests. These sanctions have been updated dozens of times over the past two years, and carry millions of dollars in fines, according to the Office of Foreign Assets Control.
"These sanctions are mostly from North America and Europe," McLaughlin said, noting many countries outside of these regions have not imposed sanctions on Russia. "But the West has to trade with companies in these countries. So financial institutions have to work harder to verify sources of funds."
In the wake of Hamas' attack on Israel on Oct. 7, the U.S., the U.K. and other countries have levied sanctions against anyone they've deemed to be aiding the militant group. These sanctions have been updated as that war has progressed to address funding parties that are fomenting violence against both Palestinian and Israeli civilians.
"There are a lot of challenges ... the Ukraine-Russia war, the Israel-Hamas war, the elections and everything that's going on with that," Trepanier said.
Besides issuing sanctions, regulators in the U.S. and Europe are tightening rules around laundering as a result of these conflicts. The European Parliament in January reached an agreement to produce a single rulebook to govern AML in the EU. The agreement will give more power to financial intelligence agencies in EU nations to detect money laundering and to halt suspicious payments. That should also mean a boost in efforts to investigate efforts to circumvent sanctions.
In the U.S., the Biden administration has pushed more cooperation between agencies such as the Justice, Treasury and Commerce departments to collaborate on AML investigations, according to Gibson Dunn. The law firm adds the DOJ has hired more than two dozen additional prosecutors to cover economic crime. More than $500 million of assets were seized from investigations into money laundering connected to Russia during 2023.
Earlier in 2023, Fincen announced a plan to provide financial incentives for whistleblowers that provide information that leads to fines against financial institutions that violate sanctions. The program is expected to boost AML investigations.
"There are signals that more is happening at the government level," Trepanier said.
Polarizing politics is also exacerbating compliance pressure. Following the Jan. 6, 2021, storming of the U.S. Capitol that occurred in the wake of the 2020 presidential election, several payment companies curtailed or blocked transactions to individuals or organizations that were tied to the riot.
PayPal and Venmo were among the payment companies that blocked transactions; while Visa, Mastercard and American Express adjusted their political donations following the events of Jan. 6. Funding the Jan. 6 attackers has not been considered money laundering per se — most of the criminal charges were tied to vandalism or trespassing on government property.
Instead, the payment companies decided to act based on the potential of reputational risk and a violation of their own terms of service policies. During Mastercard's most recent earnings call, CEO Michael Miebach was asked about the card company's plans for the next election season, and the potential for disruption to the payment industry.
Miebach did not give a direct answer but said "we have faced numerous geopolitical challenges over the past three years."
Geopolitical issues are less likely to directly impact financial institutions. But there could be more political pressure from regulators or greater reputational risk.
"The real issue is these geopolitical risks will increase scrutiny," said Harry Stahl, senior director for enterprise strategy at FIS.
The work required to combat laundering, illicit payments and other transactions involving criminal activity is similar to trade reconstruction, according to Stahl. Trade reconstruction accumulates different streams of data involved in a financial trade for compliance and IT purposes. As transactions become increasingly digital, the work involved in trade reconstruction becomes more difficult and requires participation from multiple parts of an organization.
When applied to AML, the challenge is to accrue data from numerous and an expanding number of sources.
"An organization is touching a lot of data but doesn't have all of the pieces," Stahl said. "How do you pull in all of this data to get a full view of what's going on with outside parties? Is this person or company legitimate?"
FIS collaborates with partners to help it perform sanctions screening, know-your-customer and other tasks associated with laundering risk. Stahl would not name partners or particular products.
"What we're doing is evaluating some of the newer and smaller fintechs and other companies that are coming up," Stahl said.
Are there enough AML fighters?
The responsibility to spot suspicious activity falls largely on compliance or security risk teams at financial institutions. Research suggests these workers are stressed in a manner that could hurt investigations or other vetting. That could make artificial intelligence a more valuable tool in stopping illicit financial transactions.
Seventy percent of banks and nonbank financial firms say their compliance units have capacity challenges, according to research from Celent that was commissioned by AI firm Workfusion. The research also found that 38% of financial institutions call on senior staff to help manage staff shortages and 63% say it can take four months or longer to fill compliance analyst jobs. Fifty-three percent say challenges with employee retention increases workload on other staff, which increases time for investigations.
"A lot of AML teams have resource constraints," Trepanier said. "They're trying to do more with less."
Among payment firms, Wise, for example, said that about 20% of what it spends to run the company is dedicated to fighting financial crime and ensuring it is in compliance with about 70 regulatory licenses in the U.K., U.S. and elsewhere.
"Our models in transaction monitoring learn on an ongoing basis, and we invest in identifying changing trends and emerging risks to improve these models. When we identify such trends in one location, we apply the rules to combat them globally, thus scaling our ability to spot issues early, and catch bad actors everywhere we operate," Wise's public relations unit said in an email.
Potential solutions
The goal for financial institutions in vetting third parties and clients for AML risk should be that 90% of transactions are executed digitally with minimal interruption, ensuring the software can catch potentially suspect activity while maintaining user experience. The remaining 10% should be those that require manual sourcing to ensure AML compliance, according to Philip Paul, CEO of Cotribute, a financial technology company.
"The predictive models you use have to be that good in order to maintain a good customer experience while remaining safe and in compliance," Paul said. "It's never one and done. The data and analysis have to be flexible."
The Celent/Workfusion research found 86% of organizations plan to increase spending on AI and machine learning with the goal of improving AML. Some of that funding could go to using artificial intelligence to help fight money laundering.
The U.S. Treasury has supported using AI to help with AML compliance and to aid fraud prevention. But there are some challenges, such as banks disclosing details of suspicious activity that were formed in part by AI.
Generative AI, which is a form of AI that analyzes data to produce original conclusions, in particular could be used in AML. But crooks have already proven themselves adept at using generative AI to commit financial crime. It's easy to use gen AI to create fake identities, fake accounts or even false transactions, said Hummingbird's Robinson.
"In the age of generative AI, there are major challenges for KYC," said Robinson, whose firm has worked with Stripe, Klarna and Affirm — three companies that offer payments and buy now/pay later lending, as well as cryptocurrency exchange Coinbase.
Since generative AI and other forms of machine learning are designed to accrue and analyze much larger amounts of data faster, it makes it harder to pinpoint the origin of that data. "Is it a business or a group of individuals?" Robinson said. "And when you apply all of the regulatory pressure and the wars, it becomes more complex."
Still, there are some simple benefits of using generative AI for AML risk, Stahl said. "Machine learning is more efficient, and it can be a value add when you're dealing with disclosures and reporting."
And despite the significant attention that generative AI has gotten in the last year, other technology may prove more useful in fighting financial crime. This could include biometrics, Hawkins said. For instance, implementing "selfie pay," where a consumer has to take a photo of him or herself as part of enrollment, can make it more difficult for a bad actor to complete a financial transaction using a fake or stolen account since the crook is less likely to have a biometric record of the legitimate consumer.
"We have been talking about this for a long time, but a retinal scan or fingerprint is a more robust way for an organization to know their customer," Hawkins said.
