AML is the world's most ineffective policy experiment...

 Simon Taylor photo
Simon Taylor Co-founder 11:FS & CPO 11:FS Foundry
10min read

AML is the world’s most ineffective policy experiment. Imagine if you have a car that didn’t work 99.9% of the time. That would be annoying right?

This is taken from our Unfiltered newsletter. Subscribe now for a no BS, uncensored analysis of fintech news and hot topics delivered to your inbox each fortnight.

It’s a bit more complex than that, but still, the failures keep coming.

In the past few years we've seen fines for banks like HSBC, Deutsche Bank and Capital One for their AML failures. These failures allowed checks to be cashed by known criminals causing millions of dollars of tax evasion, fraud, and organised crime proceeds to be legitimised. I should mention many of the banks involved have taken steps to tighten their controls.

But I'm viscerally angered by this. Not because a bank wilfully allowed a crime. But because the solution is to file a suspicious activity report (SAR). This is the regulator's answer to everything. File a report. The banks can prevent transactions or close accounts, but the one thing the regulator insists on is that a report gets filed.

Let's unpack this a bit.

KYC (Know Your Customer) and AML (Anti Money Laundering) are complex terms. They're essentially catch-all procedures designed to prevent all kinds of horrors - from global arms dealing and terrorism to human trafficking and modern slavery.

KYC requires each bank to identify who their customer is with evidence (like your passport or social security number). Hence "know your customer". The bank must then follow a series of Customer Due Diligence (CDD) - and sometimes Enhanced Due Diligence - checks. The bank must also check that the person isn't on a sanctions list (e.g., they're not considered a danger by the USA or EU).

...AML policy has less than a 0.1% impact on criminal finances.

How it's supposed to work

What's vital to remember here is that banks are responsible for preventing, detecting, and reporting crime. Banks are, in effect, the "money police."

So in a perfect world, when a known criminal tries to open an account, the banks KYC and CDD would spot the criminal and either refuse them the account or report all of the transactions that the criminal did. The report (SAR) should then be followed up by law enforcement, leading to asset freezes, arrests, and potentially even prison. But do you want to know the dirty secret of AML?

Data for why AML is the world’s most ineffective policy experiment.

This week I had an opportunity to properly deep dive into this work by Ronald F Pol. It finds that AML policy has less than a 0.1% impact on criminal finances. Compliance costs exceed recovered illicit funds recovered more than 100x. Banks, taxpayers, and citizens are penalised more than criminals. Policymakers keep blaming banks and hitting them with massive fines hoping to fix the problem, but it doesn't.

Again, imagine if you had a car that didn't work 99.9% of the time.

Annually anywhere between 3 to 5% of global GDP is estimated to be the proceeds of crime. Yet policy makers globally almost refuse to admit any policy failure. Instead, the "war on AML'' continues, wilfully and negligently.

There is much we could do with regtech.

If you look at AML as a data science problem, then we have two things to fix, data quality and privacy.

Annually anywhere between 3 to 5% of global GDP is estimated to be the proceeds of crime.

1. The data quality problem

Consider someone who opened a bank account in the 1970s. Someone at a bank branch likely looked at the passport and was unable to take a copy. That customer could well continue to be using that account to this day. Today it is more usual for the digital account opening to be a thing. But the system is so interlinked. Having some customers with recent digital identity credentials isn't enough.

For example: If Bank A has perfect data about its customer, but Bank B's customer opened their account in the 1970s, Bank A has no way of knowing what happens inside Bank B. The regulator receives a report from Bank A and Bank B, but the data doesn't match.

The regulator is like the man with two clocks; he can't tell the time.

The regulator and law enforcement are also public servants with limited resources. They're as good as the data they're given, and the "regulatory reporting" bit of bank infrastructure is the last bit any bank wants to touch because if they get it wrong, they might get fined.

Policymakers have created an environment where the private sector has all of the responsibility but very few tools. Imagine if we started having a data quality conversation instead of having a "compliance" conversation.

There are now good initiatives (like IIN from JP Morgan and GPI from SWIFT) from the private sector. There are many innovative regulators running hackathons in regtech around the edges. There are reasons for hope.

But what about policymakers? At the very top? They're still Yellen' at crypto. Secretary of the Treasury nominee Janet Yellen believes crypto assets "many are used—at least in a transaction sense—mainly for illicit financing." Despite the old finance world suffering nearly 5% of GDP as criminal activity, Bitcoin has closer to 0.5%.

2. The privacy problem

KYC relies on sharing your real identity with a bank or institution. If your real identity is a criminal, presto, we caught a bad one!

The problem with criminals is they tend not to walk into a branch with their real criminal identity. They tend to obfuscate that.

But you and me? We have to share our underlying personal data to use the system. Meaning the mass collection of personal data can be collected and then miss-handled by institutions with ageing technology. Then, centralised at a credit rating agency like Equifax to have an almighty personal data breach.

The whole system penalises you and me much more than the criminals. AML policy is so broken it's on my list of things that should be the headline of the news every day.

What's worse is privacy-preserving technologies not only exist, they're effective. End to end encryption has been around since the invention of PKI in the mid-1970s. Consumers can attest their identity without sharing underlying documents as evidence in Norway, Holland, and India.

Yet policymakers often attack privacy-preserving technology the most. Whether it's trying to bring down end to end encryption in chat apps, require paper-based AML for crypto-currency for fear of what criminals could do.

But here's the crazy thing. Quietly, law enforcement LOVES Bitcoin. There's a global record of every transaction ever that is completely tamper-proof. It's so transparent; it's a bit of a privacy worry in its own right. If you ever reveal yourself on Bitcoin, you could be "financially stalked" every time you interact with that Bitcoin wallet. Crypto data analysis firms like Elliptic and Chainalysis have shown that you can very effectively detect and report criminal activity if you have better data quality.

Additionally, the open-source crypto community builds several privacy-preserving identity solutions (click here if you want to go down the self-sovereign identity rabbit hole).

Now here's a crazy idea.

What if, instead of trying to prevent privacy policymakers we:

Admit paper-based KYC, and AML is broken

Work with the open-source world of crypto, not against it

When the UK introduced a new way to get banking licenses, a generation of entrepreneurs saw an opportunity and unleashed a fintech innovation wave.

Small policy changes can create massive differences.

Let's do better.