(originally appeared on the Association of Certified Financial Crime Specialists Blog) All content owned by the author, all rights reserved.
As large banks in recent years have struggled to properly calibrate the financial crime futures of customers, across classes, geographies and other risk strata, there is a growing chorus of compliance and technology professionals saying a better way could, literally, be at our fingertips.
In a bid to go beyond standard customer due diligence, in both depth and scope of potential illicit activities, some banks have engaged in, or are considering, key changes to capture more information from non-documentary sources including a person’s virtual afterimages on the World Wide Web, in addition to digging down to get a better sense of customers’ customers, entities linked through correspondent portals and the ownership and business structures of firms.
The desire for banks to go beyond standard customer knowledge paradigms is part of a broader trend of institutions concluding that using standard documents, like a passport or driver’s license and stating a client or country is low or high-risk, is not enough.
The analyses of customers for anti-money laundering risks – and increasingly the risk of other financial crimes and corrupt activities – need to be more thorough, fuller and create a more individualized picture, rather than just categorizing broad swaths of customers or regions, say compliance professionals.
The standard documentary verification methods are, in some cases, “too easy to copy,” and too one-dimensional in terms of true financial crime, fraud or reputation risk, said a compliance officer tinkering with a relatively new field of study with underpinnings that could help anti-money laundering (AML) professionals called “social biometrics.”
“But verifying to a certain level of confidence that you really exist and are who you say you are can be done by sifting through the terabytes worth of deep web data of social breadcrumbs,” said the person, who asked not to be named. “Those are the digital footprints you may have left on Facebook, LinkedIn, Foursquare and others. They are all stored somewhere.”
The data could also give more comfort to nitpicky examiners and risk-wary banks that would typically turn away individuals from high-risk regions, such as Pakistan, or individuals that don’t have credit or other banking histories, said the person.
Looking at the years of digital data on a customer or potential client let’s a bank “look at the whole picture holistically,” said Johnny Ayers, the senior vice president of business development and co-founder of Socure, which has created a tool to score risk in several key areas by mining the “social biometrics” of individuals culled from the deep web.
“There is a lot of data in the wild with the proliferation around social media,” he said. “People are living their entire lives online. We see there can be a tremendous amount of data publicly and privately” available.
The quest to quell risk has many paths
Banks large and small, foreign and domestic, are using different tactics, typically at the outset of new relationships, to meet the end goals of true customer understanding, regulatory comfort and richer and timelier data for law enforcement. For example:
Social biometrics: Some banks, remittance firms and other non-financial entities subject to anti-money laundering duties are looking up the social media profiles of prospective, and in some cases, current customers to better understand their risk of financial crimes.
Other banks are formally adopting third-party systems that engage in social media deep dives, a field referred to as “social biometrics.”
Standard biometrics: Some banks in risky regions, like Somalia, Pakistan, India and other jurisdictions, have adopted biometric authentication methods to more effectively prove the risk of given populations of customers or, at the very least, prove to foreign correspondent banking partners that the criminals or terrorists they are worried about are not hidden among a digital population of customers.
Adopting this technology could also make it more difficult for hackers to get access to accounts or move funds out once they are breached.
All crimes lens: Several large domestic and foreign institutions have expanded the scope of the standard anti-money laundering risk assessment to look for entities that could be at a higher risk of other financial crimes, including corruption, human trafficking and tax evasion.
This includes more questions of certain customers, more precise tuning of transactions systems and increased analysts oversight.
Customers’ customers: Moreover, more banks are requiring additional information on not just the direct activities of certain customers, say a large trade business, third-party processor or even foreign bank, but also asking about the kinds of customers, transactions and regions would their customers be involved.
Part and parcel of this is some banks actually requiring non-bank entities to adopt AML-type program elements, such as enhanced customer scrutiny, record keeping and suspicious activity monitoring and reporting duties.
Social media abounds, but is not broadly adopted yet as risk metric, KYC prong
In discussions with top banks, card issuers and remittance companies, many were doing little to nothing with “online and social data, structured data or using any type of social onboarding,” in the initial customer due diligence or know your customer procedures, which would allow more details to be plugged into the risk model and related profile or assessment, Ayers said.
For instance, the Socure system, based on proprietary algorithms, can gauge how many friends a person has at the same company or for how long or even how many people said Happy Birthday on Facebook.
“These are things that make us real,” he said. “The things you can’t create using a bot. You can’t recreate 10 years or normal messaging behavior, likes and comments on pictures.”
Socure is currently working with six of the top bank and remittance companies and a leading card network, Ayers said.
In addition to standard public records, a driver’s license or passport and credit checks, there is a “third piece missing, a big other data source: the Internet,” he said. “That’s 25 years of data on who we are, what we do, who we spend time with and what we do in real time. You are in the real world and in the digital world. We marry these worlds to better know your customer.”
Banks, though, even if it is available, may not use the technology for “every retail customer that comes in the door, but for institutions with branches in other parts of the world, particularly high risk jurisdictions, that makes more sense,” said a compliance officer at a large bank in the US.
Criminals, data thieves can be hard-pressed to invent social histories
Even so, beyond just making sure that person is real, and plotting out where they live, work and shop, social biometrics can also parse out what is missing to see when someone tries to create fake or synthetic IDs, but are not able to create years of history on popular online sites, like Facebook, such as having certain classes of longtime friends and family members, Ayers said.
The prevalence, or absence, or social networking information on something can be a critical data point.
With the data, institutions can then craft behavior models for customers at various risk rankings, and interweave those findings with geodesic location information and facial recognition software to better parse out which customers could engage in illicit activity.
In the case of Socure, it comes back with six different scores, including authenticity to see if the individual is a real person and say, not, part of a synthetic ID fraud scheme, a confidence rating, fraud score and a code detailing the type of risk of the entity, such as if the person has been blacklisted in a particular sector or has been linked to ID credentials of the deceased.
But there is still some resistance in regulatory exam circles because they don’t understand what social media is and how it can concretely tie back to real humans, said a second compliance officer.
“In some cases, you mention Facebook to an examiner and they don’t even want to touch it,” said the person, who asked not to be named. “So banks really must use a combination of documentary and non-documentary methods” to get access to a wider universe of details, but still satisfy regulatory obligations to know their customers.