Today’s compliance teams are dealing with a difficult confluence of challenges. Budgets and resources are facing extra scrutiny at the exact time escalating regulatory expectations, volatile geopolitical conditions and macroeconomic instability are adding significant pressure to already resource-strained teams. LexisNexis Risk Solutions’ Tracy Manning explores the shifts that brought us to this point — and what companies must do next.
Digital acceleration has ushered in a new way of doing business. Companies need to comply as fast as the transaction when it comes to customer experience. Regulatory expectations are catching up to the real-time pace of the digital economy, and regulators are signaling that they expect companies to equally apply the technology expertise they use to accelerate business growth to how they manage compliance risk. They expect businesses that can facilitate instant transactions to be capable of leveraging technology to manage risk in real time as well.
Recent enforcements demonstrate that regulators are working under the presumption that the robustness and reach of an organization’s compliance program should scale at the same rate as their business.
Various regulations and guidance, including the Anti-Money Laundering (AML) Act of 2020 and recent regulator guidance on human trafficking, virtual currency and Russian sanctions evasion signal greater scrutiny around timely sanctions controls, digital identity, device and location data risk. They also demonstrate broader regulatory scrutiny to include traditionally non-regulated industries, such as ecommerce, retail, real estate and accounting services that are increasingly becoming new threat vectors.
Are You Wearing Rose-Colored Glasses — or Blinders? How Executives’ Views on Cyber Risk Can Affect Compliance
Changes to digital spaces in recent years have led to a sharp rise in IT risk for many organizations. With cloud adoption, digital processes, remote work and third-party relationships growing dramatically, new, complex and expanded threat landscapes now exist — and bad actors are eager to exploit them.
Read moreDetailsGeopolitical volatility exposes compliance gaps and vulnerabilities
2023 is still experiencing unprecedented and highly coordinated sanctions in response to the Russian invasion of Ukraine. Compliance programs are forced to navigate a regulatory climate characterized by exceptional velocity, scale and complexity.
Regulatory risk vulnerabilities extend beyond sanctions on specially designated nationals (SDN) to corporate structure and ownership, relatives and associates, dual-use goods, trade finance and export controls.
Regulatory requirements are changing in real time and businesses are expected to keep pace. A recent sanctions enforcement on an organization that lists transactions by an SDN occurring within six hours of the designation within the violation. Another enforcement clearly signals that regulators increasingly expect compliance controls to not only be implemented at onboarding but perpetually across the customer lifecycle.
Bad actors are adding another layer of challenge to an already complex regulatory situation. They are taking even more advantage of the anonymity and speed of digital channels and disruptions in fintech, gaming and marketplaces to avoid detection for financial crimes and sanctions evasion.
Criminals are also leveraging new, widely available technologies in their schemes. They can use the onion routing (Tor) browser or virtual private network (VPN) to obfuscate location during a transaction, allowing criminals to bypass basic location risk controls such as IP blocking. The LexisNexis Digital Identity Network recorded a 250% increase in devices using a Tor or VPN in the days immediately following the Russian invasion of Ukraine. Demand for VPNs in Russia increased nearly 2,700% between Feb. 24 and March 24, 2022.
It is becoming essential for companies to utilize more sophisticated tools for identifying location-based sanctions risk or assure that an entity presenting in a digital channel is, in fact, who they are purporting to be. The key lies in proofing digital identity with the same rigor as physical identity and using the vast pool of now-available digital identity and location signals to understand with confidence the linkage between the two.
There is more evidence that the rapidly shifting landscape is sending bad actors and high-risk consumers deeper into their networks to present themselves as anyone other than who they are during a transaction. The Enablers Act would extend the Bank Secrecy Act (BSA) to include trust companies, lawyers, real estate companies and art dealers, all of whom criminals may potentially leverage to confuse and complicate know your customer (KYC) and AML workflows.
The culmination of factors shaping today’s regulatory environment makes it critical to know your customer, their associates and their business in real time from an end-to-end, more holistic and even historical activity perspective. It’s no longer enough to assess your risk at a given point in time.
If anti-financial crime teams want to truly know the company’s consumers and prevent criminal evasion, point-in-time checks are no longer enough. They can and should look at an entity’s history to carefully assess any changes that may have occurred just prior to sanctions or following sanctions to see if there were name changes, organizational structure changes or address changes just before or just after Russian sanctions went into effect.
Fueling a persistent KYC strategy requires collaboration, shared data and shared technology
The convergence of multiple types of risk in digital threat vectors — in parallel with acceleration of digital transactions — calls for a higher level of collaboration between the AML compliance, fraud, information security and consumer experience functions within a business. Siloed approaches are not a sustainable model for the real-time digital economy.
Manual due diligence processes and disparate risk decisioning are putting businesses behind on delivering a smooth consumer experience while leaving them dangerously exposed to compliance and sanctions violations — and the reputational damage and long-tail direct and indirect costs that follow an enforcement. Fifty-nine percent (59%) of mid/large U.S. banks report that compliance onboarding delays negatively impact new customer acquisition.
Real-time risk management encompasses a perpetual and event-based risk approach reflecting specific touchpoints in each consumer’s journey that may represent higher risk. Persistent risk scoring creates a more optimal level of end-to-end risk visibility that expedites decisioning and helps eliminate the opportunities high-risk individuals may be exploiting to enter your ecosystem. It also delivers big efficiencies.
Our new digital normal only continues accelerating, with new digital threat vectors emerging daily and digital transaction volumes continuing to soar. It’s time to reevaluate compliance strategies and transform them to support real-time risk management.