What a difference three years makes
- Good Morning, ladies and Gentlemen, it is a great pleasure for me to participate once again in the ACAMS APAC Conference, and my congratulations to the organisers for putting together such an interesting programme.
- Since the last time I spoke here in 2018, life and the world have changed beyond recognition. In addition to its consequences for human health, the COVID-19 pandemic has resulted in far-reaching changes to the way financial services are delivered. Digital and online offerings have accelerated, while at the same time a multitude of opportunities has also opened up for those who would seek to abuse the global financial system.
- For sure, we are focusing on Anti-Money Laundering (AML) issues over the next two days. At the same time, we must not lose sight of the core mandates that we have all been working very hard to deliver in this challenging period. And we have been broadly successful so far, by helping mitigate the economic disruption brought on by COVID-19 so that consumers and businesses can get through the pandemic and continue contributing to economic development.
- When I was preparing for this event, I could not help but look back to three years ago – April 2018 – and the thoughts that I shared with you at that event. On that occasion, I highlighted three issues as having significant potential to change how effective we are in our AML work:
- The promise of technological innovation;
- The emerging focus on public-private information sharing; and
- Getting the risk-based approach right by thoroughly understanding risks.
- Three years on, I think we can all agree that the potential of each of these has been clearly demonstrated. The path to achieving a step-change in the outcome of current responses to money laundering and terrorist financing – based on the tools and techniques at our disposal – is much clearer. Let’s quickly recap what we have seen and experienced so far.
- First, the value of technology in allowing us to swiftly overcome some of the challenges caused by COVID-19 is well recognised. Digital and online innovation has helped to improve remote access to financial services. That has also allowed banks and other financial institutions to protect their workforces through work-from-home arrangements, and provided data analytics to raise red flags on networks of COVID-19 fraud accounts. At the HKMA, we are committed to supporting innovation that works for all types of customers and for both small and large institutions. We also recognise that our regulatory framework needs to keep pace – focusing on outcomes, and being forward-looking. It is therefore not surprising to see that our Fintech Supervisory Sandbox and Chatroom have seen high levels of demand for early supervisory engagement on potential use cases.
- Second, public–private partnerships between law enforcement agencies, regulators and financial institutions exhibited a remarkable growth in the last three years, including in Hong Kong. That brought about clear improvements to our ability to identify and disrupt financial crime. Let me give you some idea of the results that the partnership in Hong Kong is capable of delivering. Since its launch in 2017, actions taken by banks through the Fraud and Money Laundering Intelligence Taskforce (FMLIT) have led to HK$692 million being restrained or confiscated – that is the proceeds of financial crime, investment scams, fraud and other serious crimes.
- And thirdly, there has been an increasing cultural change in the banks that we supervise – a move away from an overarching desire to simply “tick the boxes”. AML work is now increasingly viewed as more of a multi-dimensional activity, to which the understanding of risks – both current and future – is central and fundamental. There is a much broader acceptance that it is this understanding of the risks which then determines which tools to use, and which tools to develop for possible future use, in order to tackle new and emerging threats. Using effective tools in turn helps focus our limited resources on the highest risks, and coordinate the public and private sectors to work together to achieve the best outcomes.
- So all those three elements I spoke about three years ago have seen impressive progress, particularly with how the AML eco-system has responded to the challenges that COVID-19 has brought, across all sectors and all regions. Perhaps it will also be helpful for me to refer to a few practical examples here.
- First, on COVID-19 scams, those cases have had economic and social effects that are far-reaching and often very nasty. Much-needed funds have been diverted away from Government efforts to contain the pandemic due to fraud against hospitals and health care facilities around the world, as well as those targeting vulnerable individuals.
- The good news is that our global system has responded swiftly – the Financial Action Task Force (FATF) has taken an early lead in tackling such cases, and I think the leadership and guidance provided has been extremely helpful.
- Another example is that regulators, including the HKMA, have been encouraging banks to make the fullest possible use of the risk-based approach to Customer Due Diligence (CDD) already built into the international standards in order to address practical issues arising from business continuity planning and social distancing measures. Technology came to the fore very quickly: remote on-boarding and relationship management went almost overnight from being a “nice to have” to an essential aspect of business continuity. Regulators and the banks that they oversee were largely working from home, so across the board we quickly adopted a pragmatic, risk-based approach to our AML/CFT supervision.
- In Hong Kong, the collective response also included enhanced information sharing through public-private partnership, which resulted in six alerts on prevalent financial crime threats, including COVID-19 related frauds, being shared with the industry to help develop risk-mitigating measures. As a further step to enhance the effectiveness of our efforts, the HKMA also provided guidance to improve the industry’s analytics capability through the use of technology to enhance data quality and intelligence.
- Now, despite our success in tackling these immediate challenges of COVID-19, we must not lose sight of long-running issues that are constantly reshaping how AML work is being conducted. AML/CFT policymakers, in addition to tackling those immediate issues arising from the pandemic, should not lose sight of the crucial question of what various policy responses will mean for our future direction and forward-looking priorities. And given our assessment of evolving trends, what are the key challenges that we must expect to face in our global AML efforts as and when the pandemic hopefully fades?
- As shown by recent experience, transforming the ways in which we approach the identification and disruption of ML/TF risks goes beyond simply implementing the standards set by the FATF – although such standards remain very important. The key question now is how can we take advantage of the lessons that we have learned in the past few years? I would like to name three priorities or key trends here.
First, I would say what we have seen in the past year showed that our implementation of the Standards must constantly adapt to changing circumstances.
- While we all had Business Continuity Plans (BCP), these were unavoidably limited in scope. For example, we never expected that banks and their customers, as well as banking supervisors, would all be in the same situation of working remotely. Certainly we cannot predict future events, but we can say that our collective responses to COVID in terms of BCP have so far stood up to the test. That said, in order to achieve the step-change we all aspire to, and deliver better outcomes, it will be essential for governments, regulators and the private sector to continue to be adaptable in how we approach AML/CFT work.
- I have just now provided examples of how we fully used the built-in flexibility of the risk-based approach, together with the application of technology, to deliver an effective response to some of the challenges of COVID-19. We acted quickly, and with NO change required to the standards that all of our systems are based upon.
- At the same time, we must not simply regard FATF standards, as well as Mutual Evaluations (ME), as simply compliance-orientated or, in the case of MEs, static assessments that take place once every eight or nine years. Hong Kong received a good FATF score card in 2019, but that only means that we are capable of doing more, sharing more, and contributing to better outcomes globally in a continuous manner.
- Going forward, I believe that being adaptable in our implementation efforts will require changes in the way we do things. More specifically, while the pandemic continues to challenge all of us, I think it should be a catalyst for the wider adoption of latest technology, in the form of Regulatory Technology (Regtech), as well as more efficient and effective AML/CFT measures. Those I believe are also the views of David Lewis, Executive Secretary of the FATF who also said “As AML professionals, we all need to take more risks and stop just ticking the boxes.” I think he is referring to the much needed adaptability in our implementation efforts. The guidance from the FATF is reassuring in this regard, and this leads to my second point.
The AML/CFT Regtech adoption is a journey for banks and we should begin to drive more effective outcomes in better leveraging that process.
- We have seen in the past two years an increasing trend for regulators globally to call for, and through their actions, enable more innovation and flexibility in combatting money laundering and financial crime. That I think is a very welcome development.
- At the end of 2019, just before the pandemic started, the HKMA held an AML/CFT RegTech Forum to explore the role that technology could play in preventing and detecting financial crime. One of the key lessons that transpired from that event was the importance of bringing different parts of the eco-system together to discuss common challenges and pain points with Fintech firms who may be able to offer solutions. And we have followed up across the three breakout groups of banks, what we called accelerators, enablers and collaborators1, over the past year on concrete plans of individual banks.
- In January this year, we released a report titled “AML/CFT Regtech: Case studies and Insights”. Through that, we shared comprehensive, hands-on experience from banks at different stages of AML/CFT Regtech adoption, and emphasised a number of key insights on the potential for technologies to assist in detecting and preventing money laundering and financial crime.
- In that guidance, we have also deliberately and explicitly identified specific technologies and data applications, such as data analytics and the use of non-traditional data like IP addresses as well as robotic process automation in handling transaction monitoring alerts. Actually, some of those technologies featured prominently in the successes we saw in identifying and disrupting networks of mule accounts linked to COVID-19 scams and also the rising number of investment scams.
- Our guidance also underlines another important point that as far as Regtech adoption is concerned, the human element remains critical to identifying and developing the skills required to advance AML/CFT Regtech adoption, while being supported by a culture and capacity of innovation.
- This issue of the human element and the need to put in proper capacity is, of course, easier said than done. Data and other highly trained specialists are certainly essential to the adoption of certain AML/CFT Regtech solutions. However, data specialists have to work with experienced AML professionals, who continue to be vital to building and maintaining an effective control framework. We have found that the balance between these skills differs depending on where an institution is on its Regtech adoption journey. Data specialists are often not required until institutions begin experimenting with more advanced technologies.
- Those banks that achieve the right balance often emphasise building effective partnerships between staff with different skill sets and fostering an iterative mindset. This is where I think ACAMS has a very important role to play in the next few years in continuing to build capacity in AML/CFT and making practitioners aware of the part that technology can play in making their work more effective and efficient, better equipping them to collaborate with data specialists who can support them in delivering the work.
- Regarding the future direction of the Regtech journey, I think the key is that regulators globally should call out specific issues and problems, so we can collaborate and leverage technology to innovate and make progress. Our work in the HKMA involves discussion across the global and regional networks of regulators, and we see benefits in our active participation in the FATF, including co-chairmanship of its Evaluation and Compliance Group for the current term. This sentiment seems to be shared by my colleague from the Monetary Authority of Singapore, which is also very active in the FATF.
- Transformation is not just for the private sector – at the HKMA we are also implementing a series of changes which will not only apply current technology solutions to our risk based AML/CFT supervision, but will also allow us to adopt future technologies and techniques. In keeping with international trends in AML/CFT, we have been significantly enhancing our ability to source, capture, store and process data across the full spectrum of activities, augmenting the supervisory skills of our existing AML/CFT experts by hiring data specialists. Investing in people is the only way to get the most of out of technology. We need to encourage them through the right culture, and empower them with relevant, practical opportunities.
- So, if we manage to identify the appropriate Regtech solutions and then throw enough expertise and resources behind those, is that all we need to do in order to face the upcoming challenges? We would need something more, I think. And here, let me circle back to one of the three themes that I deployed in my speech three years ago: the importance of information sharing. I think we need to push this line of effort further.
I think this is the time for us to push to realise the full potential of information sharing in our AML efforts.
- With the development in the past two to three years, public-private partnerships and similar information-sharing arrangements are now firmly at the centre of the global response to financial crime, having changed the way we work collaboratively to analyse and disrupt shared threats to deliver better and more solid results. We now see them as a key part of the response to the proliferation of online scams, including investment fraud. But I would also note that the global role of partnerships is still comparatively small relative to the scale of the threat from global financial crimes.
- There is therefore a collective need globally to increase the tempo in these partnerships. Let me explain how we are doing that here in Hong Kong. First, we are increasing the number of banks which are members of the FMLIT from 10 to 15, which will increase the flow of data going into the system and help to reduce displacement risk. Secondly, we are taking steps through thematic work to improve the industry’s analytics capability. This will help banks to identify fraud related accounts earlier – sleeper accounts before they are activated for example, and in doing so reduce the potential harm to victims. And thirdly, we are today issuing guidance based on some of the good practices developed by our FMLIT banks, particularly with regard to how they integrate external information, data and alerts into their AML/CFT systems, and the use of data analytics tools more widely and other Regtech applications to produce better, more targeted outcomes. There has never been a clearer understanding of the overall objective across the public and private sectors to – improve the quality of data and intelligence going into the AML/CFT eco-system to drive better results – and the role of information sharing in achieving that.
- The priorities that I just highlighted – to be more adaptable in our implementation efforts, leveraging Regtech adoption, and the need to push further on information sharing – are intended to be a starting point to stimulate discussions over the coming two days.
- And just as we at the HKMA, as a regulator, strive to make our regime increasingly focused on outcomes and effectiveness, I want to encourage all of you, whatever your sector or role in AML/CFT, to work with us in transforming our collective approach. We need this transformation to make sure that we have a high-performing regional and global AML eco-system that supports a financial system fit for our digital future, and appropriately manage the risks which come along with the many benefits of digitalisation.
- We must be clear – the characteristics that we must sustain if we are to be successful over the longer term have as much to do with attitude and willingness to adapt as the technology which provides the platform; to be more data-driven and promote information sharing; to take more risks and stop just ticking boxes.
- With that, I hope you all enjoy the rest of what, I am sure, will be very a productive two days of sharing and discussion.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters.
Digitpol can assist with all stages of cyber related incidents.
Contact Digitpol’s hotlines or respond to us online.
UK +44 20 8089 9944