Guest blog: Onboarding, keeping the ‘front door’ secure

The Financial Conduct Authority’s review of financial crime controls at challenger banks earlier this year raised serious concerns around the adequacy of some banks’ financial crime checks when taking on new customers. The report focussed on six organisations, representing eight million customers, highlighting the need for banks to better understand clients’ financial position in assessing financial crime risk and noting a trade-off between quick and easy account opening and robust controls, and in some cases, banks not having financial crime risk assessments in place at all.

It’s not the first time such issues have been flagged. As far back as 2020, the National Risk Assessment of money laundering and terrorist financing (NRA) raised concerns that fast onboarding systems of Challenger banks were attracting criminal networks looking to exploit security weaknesses to establish mule and herder networks.  While the FCA considered the impact of the processes to be primarily on the financial sector, the interconnectedness of the modern digital economy means the effects of this weakness are undoubtedly felt far across the wider ecosystem, including in law enforcement.

Opening a bank account is like opening a door to the wider financial system. It demonstrates that you’ve presented and successfully passed a robust screening process – or it should. This is why any weakness in bank controls presents such an existential risk to the financial sector and beyond. Giving criminals easy access allows them to legitimise their operations and expedites the flow of illicit finances through mule and herder networks, enabling criminals to easily move stolen funds and enjoy lavish lifestyles.

Ironically, it’s the enormous demands placed on modern-day banking systems by consumer desire for faster payments and frictionless customer experience that enables criminals to the abuse of the system.  Despite massive investments in better fraud detection, the sheer volume of traffic, restrictions on information sharing and the lack of a cross-sector, networked approach makes it virtually impossible for every risk to be monitored and investigated.

This is why keeping the front door firmly closed to criminal networks is fundamental to the integrity of the system.  Denying access – or at least significantly limiting it – will go a long way to mitigate risk and potential harm. Such is the significance of the FCA’s findings into challenger banks’ processes.

You only need look at extent of attacks being mobilised by sophisticated global fraud networks to appreciate the extent of the problem. 1.6 billion high velocity bot attacks were detected in just six months in 2021 by the LexisNexis Risk Solutions Cybercrime Report, feeding a vast global web of criminal-controlled mule and herder accounts through which money can be easily and swiftly moved and laundered at the front end of the system.

Sadly, few, if any herder or mule networks are ever prosecuted. Less than 1% of policing is currently dedicated to dealing with fraud, despite being the most common crime in the UK. All of this contributes to an increasing demand in law enforcement that is already overwhelmed.

Also unfortunate is the reality that little if any money is ever recovered from the fraudsters – instead it’s the ecosystem itself that foots the bill when the victim is reimbursed. So, what must happen?

Once we accept that the insatiable consumer demand for fast onboarding and faster payments is not going away, it becomes incumbent on the sector as a whole to ensure onboarding controls are watertight.

A good starting point here would be, where possible, to replace manual onboarding processes with automation to ensure greater speed and importantly accuracy. The 2021 Cutting the Cost of AML Compliance[1] report found that AML costs the financial services sector £28.7 billion per year – equivalent to half the UK’s defence budget. Only around 25% of this was found to be spent on technology that can streamline processes and efficiency.

To facilitate this shift, regulators must look to give more assurance and guidance on what technology is appropriate to layer into onboarding processes.  In a 2020 study 90% of firms called for better guidance from their regulator on implementing more effective AML controls and whilst April’s FCA review acknowledges the use of technology and biometrics as important, firms will be looking for stronger commitment before implementing costly and time-consuming digitalisation processes. Despite HM Treasury’s recent root and branch consultations on AML compliance that began in 2021 we’re still missing opportunities and delaying the move towards collective technology adoption that could have a transformative effect on fighting financial crime.

Removing this hurdle can then open up the field for a concerted push towards digitalisation. Powerful biometrics and networked fraud detection intelligence networks supported by data and analytics tools with the power to see through the noise of billions of annual global transactions and spot associations between entities, devices and locations and make connections that are all but invisible to the naked eye.

Combined with greater intelligence sharing capabilities this would give institutions the ability to share financial crime red flags across a cooperative global network enabling others to act immediately to mitigate risk, not to mention reducing the duplication of investigation resource carried out by banks operating in silo. It could also vastly improve the quality of SAR submissions enhancing the overall understanding of threat across the system.

To mitigate risk that may have already infiltrated the system, behavioural biometrics capabilities can look at the signals created from device sensors to monitor for consistencies in a user’s behaviour, allowing organisations to quickly recognise and authenticate genuine users, while stepping up authentication or denying access where behaviours are not as expected. Ultimately, biometric-driven technology will deliver more scrutiny to those who subvert the system and assertively seek to deny them access or minimise the damage they can incur.  Better, quicker and more accurate exchanges of information will also help identify those who are exploited and vulnerable, and assist in implementing appropriate support mechanisms.

Information sharing must of course always be legitimate and proportionate to the risk, but the digitalisation of our daily lives means we now need a different approach to preserving the security of our systems. Linear information sharing between one or two institutions is no longer fit for purpose – what’s required is a digital and networked response that builds inherent trust and confidence into the system.

Robust onboarding, smarter technology, biometrics, good risk assessments and a joined-up approach should be the minimum expected standard for any organisation that creates legitimacy of a digital identity through onboarding. A radically new and much more integrated approach is now urgently needed to stem the tide of dirty money running through the global financial system and stop criminal networks in their tracks. 

It’s a common misconception that fraudsters are lone operators working independently. They move within a hyper-connected, cooperative global network – so therefore, must we.