Turning technology against financial crime

Speech by Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA, delivered at the Royal United Services Institute, London.

Speaker: Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists
Location: Royal United Services Institute, London
Delivered: 23 October 2019
Note: this is the speech as drafted and may differ from the delivered version

Highlights:

  • Financial crime and the criminal activity it facilitates cause incalculable damage to society – our joint endeavour is to monitor entry, devise controls and erect barriers powerful enough to stop criminals from causing further harm.
  • New technologies give us unprecedented access to innovative products and services, and flexibility in how we use them. But they also give criminals sophisticated tools to bend the financial system to their own ends.
  • Used to the right ends, these technologies can be gamechangers in the fight against financial crime – both for industry and the regulator.

I don’t need to remind the people in this room that financial crime is big business. We cannot be sure exactly how much money is laundered through the UK, but our best estimate puts it in the range of hundreds of billions of pounds. It is also estimated that the serious organised crime that money laundering facilitates costs the UK £37bn every year, while the estimated annual cost of fraud in the UK stands at a staggering £190bn. But mere facts and figures alone don’t convey the incalculable damage these activities cause to our society. 

Fraud accounts for around one third of all crimes experienced by individuals. And in the last year we’ve seen a 17% increase in fraud offences, driven by an increase in bank and credit account fraud to 3.8 million offences. Whether inflicting punishing personal losses or threatening the ability of organisations to stay in business, the impact of these offences is devastating. There are, of course, already requirements in place that aim to combat fraud, money laundering and terrorist financing across the financial sector. These requirements focus on the need for effective systems and controls in firms to detect, disrupt and stop criminal activity. But the fast pace of technological change and ever-evolving nature of criminals means that these systems and controls do not always change as quickly as the threats themselves. 

Our joint endeavour is to monitor entry, devise controls and erect barriers powerful enough to stop criminals from causing further harm. The task is daunting. New technologies are exciting and innovative. They give us unprecedented access to new products and services and flexibility in how we use them. And they are popular. More than 5 million people chose to lead an almost cashless lifestyle this year according to UK Finance. But they also give criminals sophisticated tools to bend the financial system to their own ends – the anonymity granted by virtual currencies being one well-known example. And with debit cards now the most popular method of payment, the opportunities to exploit weaknesses in the system are evolving. And yet, these same technologies, when used to the right ends, could also be game changers in the fight against financial crime.

Lots of people talk about technology as an enabler of financial crime. But today I want to focus on how technology can be used to detect and disrupt financial crime, and ultimately the criminals who seek to exploit the system.

The challenge we face 

Let’s first take a moment to consider this issue in context. The UK’s financial sector facilitates about £90 trillion changing hands every year, amounting to tens of billions of transactions. And last year alone there were 39.3 billion payments made in the UK. A proportion of these transactions will relate to criminal activity. We don’t know much – and identifying which ones is an enormous challenge, one that is only getting harder as criminals, aided by technological innovation, develop ever more sophisticated schemes.

Firms do not always have the complete picture when searching for patterns amongst vast amounts of data. The 2,000 firms who were involved in our first annual Financial Crime Data Return told us is that they collectively spent over £650 million a year on dedicated people to combat fraud, laundering and other financial crimes. And that didn’t include the efforts of branch staff dealing with customers at counters, who are at the front line of the industry’s efforts to tackle fraudsters and money launderers. Those firms made over 360,000 Suspicious Activity Reports to the National Crime Agency in 2017, and identified nearly 120,000 Politically Exposed Persons. So we already know that, on the whole, most financial institutions are not complacent about the risk and we can still see this from the figures we continue to collect. 

Since we first carried out this survey, we have seen more firms wanting to participate, and we will be publishing our latest data next year. That in itself presents its own challenges in drawing out trends, but gaining a broader understanding of what is going on across the industry can only be a good thing. What the latest results already reveal is that the collective resourcing cost of the fight against financial crime among these firms now comes to over £1 billion each year. That in itself may not come as too much of a surprise, but among the larger survey group what we also see is that the numbers of Suspicious Activity Reports and identified Politically Exposed Persons have not grown in the same proportion. 

Spotting bad behaviour is not easy, particularly when it lurks within an ocean of legitimate activity

It is too early to pin-point definitively why that might be the case. But what we can say is that our data-led approach enables us to bring these sorts of questions to the surface in a way it hasn’t been possible to tackle before. And it also allows us to deploy our resources and efforts in a quicker and more targeted way, as emerging areas of harm are identified. What certainly remains the case is that spotting bad behaviour is not easy, particularly when it lurks within an ocean of legitimate activity. The so-called ‘needle in a haystack’ challenge.

The way firms approach this challenge varies. But what is clear is each and every firm who is part of a transaction chain has a responsibility here, for example checking who their client or customer is. For some it’s a mixture of machine and manual processes – technology is used to flag up risks but banks still rely on thousands of staff to manually review those flags. What we might call ‘checkers checking the checkers’. Some firms are automating existing processes through the use of compliance technology, helping them keep on top of volume and reduce false positives in transaction monitoring. Some are going even further. We are seeing an increasing number of firms applying intelligent technology to tackle financial crime – including AI, robotics, natural language processing and machine learning.

Continuous innovation is vital if we’re going to stop criminals in their tracks

Continuous innovation is vital if we’re going to stop criminals in their tracks. In particular, it is becoming increasingly apparent that disrupting financial crime in real time is a key frontier. This is certainly true of fraud – stopping it before it happens. AI and machine learning could really make the difference here. From AI-driven impersonation checks to verify whether photos in different ID documents match, to the use of machine learning to identify high risk customers who may warrant deeper background checks – AI and machine learning could be turned to real, practical uses in the fight against financial crime. Not to mention harnessing machine learning to detect fraudulent patterns in real time and with greater accuracy – making it possible to identify if that really was me buying coffee in Kings Cross yesterday or a fraudster. 

Now as a regulator, we are ‘technology neutral’ – I’m not going to tell you whether you need to automate all your systems or question why you aren’t using AI in every part of your business. But we all need to experiment with new technology, and together see how we can tackle criminals who want to exploit the financial system. We focus on outcomes – and if a new innovation can help reduce harm, we welcome it. We all have a public duty to explore all opportunities to combat crime. Together, we need to turn technology against criminals.

Our role as the regulator

Of course, it’s not only firms that play a key role here. Beyond setting rules, publishing guidance, supervising firms and sharing intelligence, regulators are also exploring innovative approaches to combatting financial crime. It is clear that this threat needs a collaborative response. That’s why we have set up the Sandbox to support firms and their efforts to innovate in RegTech.

In our latest cohort of our regulatory sandbox, we have seen a number of propositions looking at digital identity specifically. Using machine learning, businesses can verify the identities of their customers digitally – reducing the need for cashiers to check identity manually in branch. It is clear that we need to build our own networks to combat the criminal networks. That is why we have also run two successful TechSprints, which looked at how the fight against financial crime could be aided by better information sharing – whether that be through relatively mature technologies like distributed ledgers or more nascent concepts such as homomorphic encryption. In fact, the latest, which we held in July, focussed specifically on how ‘privacy enhancing technologies’ (PETs) can facilitate the sharing of intelligence between firms, regulators and international law enforcement agencies without compromising data protection requirements. 

The solutions it produced included:

  • the use of multi-party computation to drive real-time analysis of payments to combat authorised push payment fraud
  • federated learning technologies to share and identify financial crime typologies across multiple entities
  • using PETs to establish a ‘golden pool’ of data, supporting better identification of beneficial ownerships by eliminating discrepancies between public registers and firms’ own records
  • tougher encryption, enabling firms to make enquiries about higher risk customers to uncover discrepancies in their on-boarding and due diligence processes

Pursuing ideas such as these is crucial, because we know that the exchanging of information needs to be conducted on a global scale. And that is why promoting and supporting them is so important, and why we have published videos of all the TechSprint solutions on our website and will continue to track them through to proof-of-concept stage. It is true that not all of them may work, but that can’t be a reason not to look for the ones which will. And in the first half of next year, we will publish a report detailing the progress made since the TechSprint.

Financial crime and the perpetrators behind it do not respect borders – their operations are truly transnational. So, our response must be too. That’s why we set up GFIN, a global financial innovation network, dedicated to supporting innovation in the interests of consumers. Now comprising 38 nations, from Bahrain to Bermuda, GFIN provides a forum for regulators and firms to collaborate on common challenges and policy questions. After all, without a harmonised approach, our efforts will be hamstrung. This also includes collaboration at a domestic level. For example, we are closely involved in the Government’s Economic Crime Plan, which commits the FCA and others to considering how the payment system can help tackle economic crime.

The Economic Crime Plan also highlights the strong public/private ethos in this area. The Joint Money Laundering Taskforce (JIMLIT) continues to grow strongly, reflecting the shared commitment to tackling this threat. And we’ve seconded our own people to the UK’s National Economic Crime Centre, which plays a key role in improving the policing response to fraud and money laundering.

Our own innovation

As regulators, we have relied on traditional supervisory tools for many years. But the technological innovations that are being brought to bear on industry approaches to financial crime also have major implications for our own work. And we need to make the most of them. In the last 12 months, we took over 15,000 calls from consumers reporting on scams and fraud. And in this year alone, we’ve received over 1,000 calls from consumers relating to crypto scams. The number of unauthorised scam cases where we have called for ISPs and web hosts to act on our alerts is ever growing. Since 2016, we have raised 785 of these alerts. Our own website has a scam checker page and warning list where consumers can check for scams. So, as you can see, this is an issue we have to grab with both hands. And with these growing numbers of calls, we too are trialling new ways of automating how we handle large volumes of unstructured information.

In a recent example, we have applied natural language processing to process over 50,000 consumer complaints interviews – quickly categorising, sorting and structuring these data into action-able cases. Reflecting the opportunities of the fourth industrial revolution we’re living through, we, like industry, now need to think differently. We have established the Analytics Centre of Excellence, an internal initiative to drive the use of data science, machine learning and AI across the whole of the FCA .This function, staffed by experts in regulatory technology and data science, is embracing the potential of new technologies to identify and prevent harm, as well as to automate and simplify our processes to maximise effectiveness.

We are currently experimenting with new analytical techniques, including predictive analytics and web-scraping, to help us discover key trends and potential outliers more quickly. This will help us focus supervisory efforts on entities that have been identified as higher risk.

One example is the use of data to spot potential outliers. Take money laundering – we have reviewed 10,000 data points across 16 separate regulatory returns including our Financial Crime Data Return, which I mentioned earlier and is now in its third year – to produce analytics that can highlight risk profiles. From this we can be better informed about the potential for businesses to be more susceptible to money laundering risks. This means supervisory work is more dynamic, targeted and responsive to risk indicators. And we’re exploring the feasibility of using automated tools, as our more traditional methods of supervising systems and controls can benefit from new techniques. For example, we are looking at two proofs of concept to test where gaps may exist in systems and controls designed for sanctions spotting and transaction monitoring. These tools could help firms understand if sanctions data is up-to-date and whether their defences are able to pick up known money laundering typologies and patterns.

As a regulator we already make use of innovative tools in other spheres – in the cyber space we use CBEST, or in plainer terms, ethical hacking – to help us test the robustness of firms’ defences against cyber-criminals. Why not take this thinking into the financial crime space?

We are currently experimenting with new analytical techniques, including predictive analytics and web-scraping, to help us discover key trends and potential outliers more quickly. This will help us focus supervisory efforts on entities that have been identified as higher risk.

Over time, we hope this will allow us to deter misconduct by focusing on specific firms or portfolios based on interesting patterns and trends we observe in the data.

Conclusion

The pace of change the financial sector is experiencing can feel daunting. But as a regulator I feel encouraged by the industry’s commitment to work together to make the UK a secure place to do business. It’s easy to get lost in the detail. But let’s not forget that at the heart of the discussion around financial crime sit two vastly important issues – societal harm and economic prosperity.

The rise of technology threatens both when exploited to criminal ends. We can’t shy away from that and the FCA has high expectations of ourselves – and firms – to meet this challenge. Experimentation with new technologies will bring about new ideas and new ways of tackling the challenges. It might not succeed first time but our experiences will inform the next generation of experiments and ultimately deliver change.

Technology, frequently an enabler of crime, can also be a hugely potent tool in the fight against it

Technology, frequently an enabler of crime, can also be a hugely potent tool in the fight against it. Indeed, it may be the greatest tool we have, giving us the chance of finding that needle in the haystack. So, if I could leave industry with one message today it would be don’t be afraid to use technology and innovate to keep criminals out.