Epic Technology Group Chief Executive Officer Viraj Mudalige

Expert payment solutions architect calls for a collaborative approach, says industry willing to invest on a national platform and help the Regulator to tackle financial frauds

By Hiyal Biyagamage

Few decades ago financial institutions worldwide enjoyed the security and protection offered by archaic systems that operated in isolation requiring only physical barriers to restrict access. This was primarily due to the fact that virtually all financial transactions were conducted offline and did not require the inter-operation between multiple systems across various geo-locations.

Today, however, the world is digitally intertwined in a complex sphere of billions of people and devices interconnected in a virtual landscape where financial systems are exposed to ever-present threats and vulnerabilities from malicious sources world over. The inter-dependence between multiple systems to deliver financial services therefore relies on the authenticity and integrity of each system to deliver a secure and trusted service: A single infraction could have a snowball effect on an institution and that minor breach could be exploited for unexpressed gains causing billions in damages and losses.

Post-9/11, the global economy has had a dramatic 180° turn where some of its economic impacts continue to this date. It deepened the 2001 recession further and the world witnessed the US embark on one of the biggest governmental spending in US history during the War on Terror. The high-level impact of this gargantuan expense added further fuel to the 2008 recession and nations had to overcome continuous battles of unemployment, economic disparity, inflation and continued financial slump. Meanwhile the rise of terrorism and terrorist-funded activities has built a platform of uncertainty and insecurity across the globe.

This is more so evident in the financial landscape where terrorist organisations depend heavily on receiving illegal funding from untraceable sources world-over to conduct their extremist and violent activities. And in the increasingly digital dependence as it is today, it is unsurprising that such extremist organisations are turning to the digital arena to accomplish their financing requirements through online money laundering tactics thus making it virtually impossible for authorities to track and prohibit such activities using traditional mechanisms

It is ironical to say the least that digitalisation being the platform which promotes democratisation across the globe has resulted in an intensified threat of money laundering by several folds during the last few years. Today, the digital landscape has become the primary platform which spearheads money laundering activities for all forms of illegal and terror organisations across the globe.

What is Money Laundering?

Money laundering is essentially white-washing illegitimate funds so that it appears to have been obtained through legal means: A person who has received some form of ill-gotten gains will seek to ensure that they can use these funds without it being realised that these funds were acquired illegitimately. To accomplish this, an individual needs to disguise the proceeds such that the original source of the proceeds is hidden and therefore, the funds themselves appear to be legitimate.

Money laundering has three stages – placement, layering and integration. Placement is where illegitimate funds are inserted into the retail economy and is the most difficult stage in the cycle. The objective of the placement process is to remove the funds from the acquired location so that it would avoid detection from the authorities when being placed in a financial institution.

Next is the layering, which is the process of disassociating illegitimate funds from the original unlawful source by creating a composite web of financial transactions with the intention of concealing audit trails, source and ownership of funds. The typical scenario for a layer is moving money in and out of offshore bank accounts around the globe multiple times through electronic fund transfers thus leaving a complicated tangled web of audit trails which are arduous to unravel and trace by any financial or governmental authority.

The final stage in the money laundering process is integrating the laundered funds back into the legitimate economic and financial system with the appearance of legal tender.

The global context and Sri Lanka’s current situation

The United Nations’ office of Drugs and Crime (UNODC) estimates, the amount of money laundered globally is anywhere between 2-5% of global GDP that is between $ 800 billion and $ 2 trillion per annum. While system hacks and data breaches are managed effectively, the best of financial institutions in the world are groping in the dark to trace new-age launderers who are armed with sophisticated tools and technology.

The financial industry has been working tirelessly to put forward policies and systems to protect their boundaries and limit these illegal transactions from being processed. Although compliance costs over the years has skyrocketed, they have actively pushed for implementations of anti-money laundering (AML) as well as countering financing of terrorism (CFT). For example, Citigroup increased their risk and compliance team from 14,000 to 29,000 between 2008 and 2016 and Banks have paid in excess of $ 300 billion in compliance-related penalties over the last years.

In 2017, the European Commission listed Sri Lanka along with Tunisia and Trinidad and Tobago to its blacklist upon the advice of the international Financial Action Task Force (FATF) and by 2018 February, the European Parliament confirmed the commission’s verdict, stating that Sri Lanka has been included in the list for risks attributed to money laundering activities.

Sri Lanka made a high level commitment in October 2017 to work with the FATF and the Asia/Pacific Group on Money Laundering (APG) to strengthen the effectiveness of its anti-money laundering and counter-financing of terrorism procedures and to address any technical deficiencies that may be encountered in implementing such mechanisms. The FATF has introduced 40 recommendations on AML/CFT in order to combat money laundering and terrorist financing and other related offences globally. The APG functions as the FATF’s regional affiliated body and monitors the level of compliance with the FATF recommendations in the region.

Connecting missing elements through technology

Daily FT sat down with Viraj Mudalige, a seasoned payment solutions architect and the chief executive officer at Epic Technology Group, to discuss what are the key elements that are missing in Sri Lanka’s existing anti money laundering process and what can Sri Lanka’s payment solutions industry can do to mitigate adverse economic and social impacts that would occur, if Sri Lanka continues with brittle anti-money laundering policies.

Mudalige was on the opinion that as a country Sri Lanka has had taken steps over the years to implement necessary legal frameworks such as the Electronics Transactions Act, Computer Crimes Act, enabling the acceptance of e-documents and e-signatures and other fraud detection mechanisms as first movers in the region. However, the country has not been able to achieve significant results in terms of fortifying its anti-money laundering, Mudalige opined.

“As one of the top countries in the region to introduce strong legal frameworks to mitigate financial frauds, it is unfortunate to realise that Sri Lanka has not had much success in forming strong anti-money laundering policies. With the recent developments regarding the European Parliament ban, it has come to light that the country has to prioritise the implementation of a robust set of strategies, policies and processes to mitigate anti-money laundering activities and fortify its existing anti-money laundering regime.”

Mudalige suggests that the time has come for the regulator, banks, financial institutions and the local and regional payment solutions industry to collaborate with each other to find a feasible solution to solve the puzzle.

“There is no need to conduct different post mortems to open up the recent incident of Sri Lanka’s blacklisting again and again. The real need of the hour is a collaborative approach between the Regulator and local payment solutions industry to sit together and come to an understanding. First, the Regulator needs to define necessary processes, policies and strategies – amalgamate existing initiatives that were drawn from FATF and APG recommendations if required—and implement a single, coherent anti-money laundering policy that meets international AML/CFT standards. It should also have the capability to be aligned with proper technical infrastructure to monitor different activities pertaining to financial frauds.”

“When it is done, the payment solutions industry can then recommend what needs to be done from a technological point of view. The local industry, possesses years of expertise and competency to help the Regulator to connect the missing pieces of this unsolved puzzle; formulate a plan where the national anti-money laundering policy could be further strengthened with best-in-class financial fraud detection innovations and best practices,” stated Mudalige.

What are we missing right now?

According to Mudalige, the current anti money laundering or the fraud management process in Sri Lanka is missing two crucial elements – online real-time monitoring and real time influence.

“Currently, we have offline monitoring embedded in our process. What it does is generate a report with the details of all the suspicious transactions happened within a month and send to the Central Bank of Sri Lanka. How could a mere report provide details to trace illegitimate funds or the source? That is why the existing process should include real time monitoring and real time influence. Online monitoring can investigate events as and when they happen in a transactional system while online influence helps a financial institution to challenge a certain transaction; monitoring, detecting and influencing (stop or hold) transactions as and when they happen. A proper anti money laundering platform should be designed to handle all these three levels of frauds.”

In order to utilise the online influence process as a whole functional element, few other features have to be included as well. They are:

nCustomer profiling – The transaction activities will be collected at the time of the account opening. Customer profile will be thoroughly investigated and assigned with a risk score/risk rating.

nWatch list maintenance – Analyse data from watch lists published by various international agencies including FATF and APG.

nLinker analysis – Investigate relationships between separate entities involved in financial transactions and unearth any suspicious activity. Metaphonic and direct searches can be performed to find customers to link.

nIntegrated alert/case management – Browse, filter and sort alerts that are listed and assign them to corresponding users for further actions. This will help to study the pattern of suspicious activities reported and take proactive measures to mitigate them.

nTransaction Risk Measurement – Measure inconsistency of transaction patterns against the stated original purpose of accounts. Through this component, transaction rules can be configured to generate dynamic transaction reports.

“The national policy for anti money laundering should have the capability to be integrated with these key features. The watch lists provided by global standard setters for anti money laundering activities play an important part; watch lists not only by FATF and APG but by other important institutes including the United Nations, the Basel Committee on Banking Supervision, International Association of Insurance Supervisors and the Egmont Group of Financial Intelligence Units,” said Mudalige.

Anti-fraud and AML as one unit

One other aspect Mudalige emphasised during the conversation was the unification of anti-fraud and anti money laundering departments of a financial institution into a single ‘Financial Crimes Department’.

“It is a known secret in the financial trade that these two departments are separate due to the genesis of each other. The AML/CFT department was created to address regulatory requirements and the anti-fraud cell was created within the Risk Department to help banks combat fraud. Money laundering and transactional frauds are closely correlated because transactional fraud is often a ‘predicate crime’ to money laundering.”

“I believe greatly that a cross-channel holistic approach is far superior because the system is strong in AML/CFT, transactional fraud monitoring, and enterprise case management. Operations can be exponentially more efficient by bringing the two departments together.

Modern analytics and technologies are important to wage war against anti money laundering but Mudalige believes it is not the sole remedy. He believes that analytics and technology should be embedded in a business-specific manner and ingrained organically into business processes. From time to time, these assessments need to be reshaped to meet new industry norms.

“It is important to develop an end-to-end, tech enabled KYC (Know You Customer) and AML process that has new customer data intake standards, risk-based due diligence, monitoring and customer identification. The design process should cover every crucial component – from rule-based transaction screening to fraud detection.”

Concept of Enterprise Fraud Management

Sri Lanka is at an infantile stage on the concept of Enterprise Fraud Management (EFM). Currently, core financial systems (deposits, remittances, loans, debit cards etc.) of the country are connected to silo-based fraud management systems which are channel specific and perform fraud analysis post transactions.

“The EFM module is designed to support the detection, analytics and management of fraud across users, accounts, products, processes and channels. The module monitors and analyses the behavioural patterns of the user from an application level—rather than at the system, database or network level—and has a close watch upon what is leaked and across accounts using any type of medium to a user. It also analyses the behavioural patterns amongst the users, accounts, other entities, in search for organised crime activities, corruption or misuse.”

When asked whether it is beneficial to integrate both anti-money laundering and enterprise fraud management, Mudalige said, “Yes, of course. Real-time transaction monitoring, integrated case management and comprehensive investigations work bench are the common building blocks of both anti money laundering and fraud management systems. If both systems can be integrated using a single platform, banks or financial institutions can be assured of potential benefits in terms of return on investment, which covers operational expenditure, leading to drastically reduced total cost of ownership.”

Local industry ready to support the Regulator

For any company that is going to take up the challenge, developing an enterprise fraud management module that would tackle and mitigate anti money laundering activities is going to be a costly and timely affair. For the 43 financial institutions in Sri Lanka (opting out the 26 banks which are set up locally), it will be cost prohibitive for them to invest on a comprehensive financial fraud monitoring infrastructure and get it implemented for their organisation. This is where the local payment solutions industry should come forward and invest on implementing a national platform, says Mudalige.

“The industry is willing to invest on building a national fraud management platform which could be used by banks and financial institutes of Sri Lanka, at a minimal cost. However, as the financial watchdog of the country, the Central Bank has to take full responsibility and develop a robust, national strategy for anti money laundering so that the payment solution industry could collaborate with the regulator, work on the recommendations and build the aforementioned common platform.”

A number of local banks have already acquired several AML and EFM solutions but when evaluated in depth, certain gaps were found in the functional adherence. Mudalige highly believes, with Sri Lanka’s engineering talent, a top-notch technology platform can be built including some of the best out-of-the box scenarios such as machine learning-based predictive risk scoring, pre-packaged channel and product specific detection and scoring models and business intelligence mechanism that facilitates dynamic behaviour profiling algorithms for customer, accounts and channels (Ex: preferred ATMs, preferred beneficiaries, etc.).

“Ability to monitor anti money laundering and financial frauds on the same platform will reduce total cost of ownership, and reusing the same interfaces will have the ability to process both financial and non-financial transaction monitoring in real time,” concluded Mudalige.

Epic Lanka