Getting one up on fraud and sanctions compliance
Ruud Grotens: The United Nations quoted that financial crime costs the global economy between $3 and $5 trillion a year. But only 1% of those illegal gains are frozen or seized by authorities. It’s understandable that financial firms and large organisations are devoting much attention to fighting payment fraud and complying with sanctions obligations. But how successful are they really? And should they be doing more?
Hello, my name is Ruud Grotens I'm the head of solution consulting for financial crimes at Bottomline. And today I'm with Omri Kletter, our global VP of product and strategy for fraud and financial crime products. Welcome to The Payments Podcast, Omri.
Omri Kletter: Thank you. Great to be here, and great to be here with you, Ruud. Just for the benefit of the audience, you and I know each other from a previous life from previous organisations, and I'm so glad to have the opportunity to work now together and help the industry and Bottomline to fight fraud and financial crime.
Ruud Grotens: Very much, Omri, and likewise. Omri, the title for this episode is 'Getting One Up on Fraud and Sanctions Compliance.' But here's the thing, fraud prevention and sanction compliance aren't new, right? In fact, sanction screening is one of the most important things an organisation can do to protect funds from malicious activity, and the importance is increasing daily.
So really, it's a critical part of the payment lifecycle when it comes to successfully flagging a fraudulent transaction or catch a payment heading to a sanctioned entity. But it's not as simple as it sounds, as you know.
Omri Kletter: Absolutely.
Ruud Grotens: What about legitimate transactions that get stopped, disrupted operations, delaying settlement, and most important, causing friction to the customer? So, I'm talking about customer experience here. Omri, what's behind that?
Ruud Grotens: So, there are a lot of things, smart things in how you framed it, and they are great challenges in the industry.
I think your starting point around the fact that these things are not new is super valid, but I think it is important that we underscore the changes that are going throughout the industry, the changes, obviously, in the payment landscape, in the greater pressure not only banks feel, by the way, with the need to comply with fraud and financial crime.
I think especially from our unique point of view in Bottomline, it's not only banks. It's also how we help corporates, and we know that with great power comes great responsibility, so the notion that additional players should take part in fighting fraud and financial crime.
So, you're absolutely right, it's not new, but you're absolutely also right to underscore the importance of how you balance fraud and financial crime and how you balance the need to comply to stop things with the need to reduce friction as much as we can and expectations from the user side that will provide a frictionless experience and will do more behind the scenes.
And practically, when we talk about doing more behind the scenes, it's how we obviously utilise technology in order to better detect, to reduce false positives, and to overcome the current challenges out there. We all know that the industry and the different players are full with issues like disconnected legacy systems. We have issues on the resources of actually investigating the tools.
If you go to many of the operational centres of fraud and financial crime, and that's true, by the way, to Tier 1 banks, but also to Tier 4 and 5. I think generally we need to think about the industry in a much more granular and fragmented way. I would argue that you won't see enough change in terms of how things have been done five or seven or ten years ago and how are things being now.
So, I think the overall platform for this podcast, the question that you smartly asked is, yes, it is time to press sometimes the reset button and come up with new methods and new solutions. And I think at the moment, the gaps are clearer both on the fraud side and on the sanction side.
And I think to a certain degree, the way that you framed it about how we can think about it more jointly is super valid. Feel free to share your point of view, but I think it would be fine to say that the current status in the industry is insufficient to a certain degree.
Ruud Grotens: I fully agree, Omri, and I also believe there are invisible costs as well, especially when you look into customer banking and customer experience, this is highly competitive. I think if the customer had a bad experience, they won't go for an additional product maybe, or in worst case, they go to another bank.
Omri Kletter: Absolutely. And we are recording this broadcast where there is a big discourse or a strong discourse, obviously, if you read the newspapers, around the shortage of lorry drivers, truck drivers. I would say there is definitely also shortage in compliance officers and team members that can help with the increased amounts of alerting issues.
And I think this is also part of I think why looking at things more jointly in the same essence that we are framing fraud and financial crime together, or to have the ability to look at the payment in a coherent way and to score it. There is also a shortage in the industry ability to deal with the increased amounts and the changes in the payments industry, for example, instant payment. So definitely call for action.
Ruud Grotens: And doing more with less, right?
Omri Kletter: Absolutely.
Ruud Grotens: Do you believe there are quick wins? Or is it a journey?
Omri Kletter: So, it's definitely a journey, definitely a journey, but with some low-hanging fruit. And I think there are a few things, at least from our experience, again, looking from the payments point of view, which I think is very important. And I think a smart step forward would be to think about cloud strategy, for example.
And the reason I'm starting with the cloud strategy is because if we need to frame- one of the main changes that is happening at the moment is the rapidness of changes, right? So, if you think about bank’s compliance team - and I know that in our audience, we have a few members of this community - the numbers of changes that they need to address in the year is five, six times higher than a few years ago.
It's true for the new regulations that come in, it's true to the new product that the payments team will try to introduce in order to obviously be more competitive etc.
And I think while there is not necessarily one silver bullet that changes it or fixes it, I think starting from, “Let's build the cloud strategy, consumable strategy when we deal with payments, fraud, and compliance together through cloud, maybe, by the way, integrated with the payment story,” would be a very critical starting point. And then the other things we can think about it.
There is definitely ability to improve the results if we invest more in the user experience of the investigator, definitely connected to your smart point, Ruud, around 'do more with less', so how we can convert eight-minute investigation into three-minute investigation. I would start with these two critical elements, thinking about the cloud on one hand and moving things to be more consumable and more integrated with the payment journey.
This is true both for payments fraud and for compliance, which I think the connecting tissue between them is the need, in both cases, to make decisions in real-time, especially in a real-time environment on the transaction. So that's one thing.
And the second thing is really to ask us- each one of the audience members can stop for a second, reflect and ask, “Are we doing enough to make the investigation process easier and more flexible?” And I think that would be a great remedy, and to your question, in many cases, low hanging fruit.
Ruud Grotens: Right. Thank you, Omri. Omri, I want to take a moment to talk about payment digitisation. We are operating in an ever-changing landscape where everything is becoming more digitised and certainly faster, including the movements of funds like Faster Payments in the UK or instant payments elsewhere.
From a real-time fraud prevention and sanctions compliance perspective, what are, in your opinion, the important things to be aware of?
Omri Kletter: Very good question, and I think first of all, it starts from the point that if there are changes in the payment landscape, and the real-time element is one of them, there is a need to ask ourselves, is the tool we're using today- is the method that we are implementing and focusing on today sufficient for the problem we're trying to solve?
And I'm starting with that because I can start with one big question in front of us, volumes. We know when we talk about digitalisation as you framed it, one of the main impacts of that is our ability as users to create 10x transactions compared to before in the same. So, it's easy for us to create more transactions, it's easy for us to log in, it's easy for us to set up a new payee, it's easy for us to even set micro-payments on a regular basis, because I'm just using my mobile etc.
So, one of the biggest impacts of digitalisation is not just the speed that you alluded to, it's also the volume. And I think we know that many of the organisations out there are still handling these issues sometimes in a manual way or in some legacy solutions that haven't been built for this type of volume.
So, I think the volume element is critical, the ability to have infrastructure that can scale. The digitalisation revolution didn't finish yet, and we're expecting to see more and more transactions and events coming into the gateways of these compliance solutions.
So, I can tell you that we invested heavily in creating new infrastructure that is putting the legacy constraints behind. And I think this is true, that would be a very important best practice for organisations, banks and corporates alike.
Ruud Grotens: Yes, thank you for that answer, Omri. And this might be a more difficult question to answer, but intriguing for me. How do financial institutions or corporates know if their fraud or sanction system is effective? And does the perfect solution exist? What is the role of data?
Omri Kletter: Yes, so this is a viable question. And here's something that I'm not willing to say, “So you need only one solution, there is a bulletproof point. Just buy X, and you are covered.” I think it would be irresponsible to say it. But I think there are things banks and corporates should think about.
First, I'm a strong believer in the concept of coexistence and to have more than one a control in the journey. I can tell you, for example, we are very focused on finding ways to have this control sometimes in the gateways, understanding that the bank or the cooperate may have solutions before that.
But there is a benefit, there is a better, I think, setup and configuration if you have more than one place or one junction in the journey when you are asking yourself, “Is this payment a legit one? Is this payment legit one both from a fraud perspective, from APP fraud or account takeover,” and to have the ability to ask yourself again with the additional data that is available for you if this transaction is compliant from a sanctions perspective or other watchlist considerations.
So, I think one best practice is actually to have multiple points in the journey where you want to inject fraud and financial crime. I think there is definitely a benefit to combine the payment fraud and the sanctions into one, a more valuable, centralised place where you have your ability to inject your own logic.
One thing that was very important for us when we designed things was to also allow customers the ability to have greater control, to define their own logic, to maintain their own lists. This is critical. So, I think there is no one solution that can provide this, that's the only thing that you need. I think a good solution that provides the customer the ability to configure and to have their own control is critical too.
Ruud Grotens: Omri, this is really insightful. Omri, we have covered a faster world of payment processing, but coming out of COVID, there is also a new world post-pandemic of remote working. In your opinion, how does that impact fraud detection and prevention measures? And what are the additional challenges that financial institutions and corporates face here?
Omri Kletter: Definitely a new world. There used to be saying in all old Hebrew, and say if you want to curse something you say, “I wish you to live in interesting times.” “I wish you to live in interesting times,” and one can say that we are definitely living in interesting times. So, I'll share my point of view on that, and I'll be glad to hear your point of view on this topic too.
So, one of the first things coming to my mind when we talk about the additional risk - and there is no question about it, there is an additional risk in the new work environment, new world environment - is really the risk with internal threat and internal fraud. We're seeing it on two elements.
One is where employees or internal contacts to the organisations, could be also contractors, we are obviously talking about more complex environments than just direct employees, the risk can come from within, directly, in the essence that we’re seeing, by the way, sometimes employees working in more than one company in parallel. All this working from home scenario enabled it.
So, I think there is a greater need to have the ability to monitor and scrutinise employees in the essence that- ensuring that they are complying with their data access, with how they operate, and there is definitely a higher need to have better monitoring. We are heavily invested helping many organisations.
And by the way, when you think about that, this is, again, another example where it's not only banks. We are helping Tier 1 banks globally on that, we are helping also smaller organisations, but we're seeing a greater need from non-banks to make sure that there is a proper monitoring of employee activity, especially remotely, especially when it's not only about protecting the money, but also protecting the access to some sensitive information.
But the second element of that, and that's absolutely related to things we've seen before like in the famous Bangladesh money heist etc., where the employees are fine, they are definitely on the good side, but there are some weaknesses on their side, on their devices, and there is ability to compromise the access of the employees.
So, I think there is a greater need, if you think about that, to ensure that activities that are done into the payment system that we used to see coming only from on-site, but the reality is that we know that many of the payments processes - think about Swift - control rooms and wire rooms in the US are being accessed by employees from remote.
And I think here, again, there is a need, a greater need to monitor and to score these payments, looking for abnormalities, having this to like scorecard and profiling capabilities on the payments in real-time, as we alluded before this. This is at least my point of view. I would be happy to hear your two cents on that too.
Ruud Grotens: Yes, but it also triggers another important thing, I believe, that's all about regulatory requirements, monitoring user activity, monitoring employee behaviour. What's you’re thinking around data privacy of employees and GDPR issues? Because I agree the more data, the better, actually, that's what we all like in financial crime, but there are regulatory restrictions here.
Ruud Grotens: Or how can far can we go?
Omri Kletter: So, I think first of all, coming and designing the solution from the starting point of the regulation is important. I can tell you that, at least from our point of view, there is no 'one size fits all’, and we're working very closely in different territories on different abilities and needs and on what to collect, how to collect, how to gain consent, etc.
What I can tell you, like in many cases, is actually that metadata enough can be very helpful, and many cases, the metadata, i.e., we're not seeing exactly what's being done, but we can have the overall framework of the data being accessed could be hinting enough to generate the smart alerts that then move you into action.
So, I think that my read of the GDP- it's not only my read, but our customers read on the GDPR, on the different regulations, doesn't mean that there is no way or there is no ability to collect enough information to generate the detection process. And at the end of the day, GDPR is not only about how we protect employees, but also how we protect the bank's customers, how we protect the corporate's customers from making sure that their data is not compromised.
So, one way to look at it is in the other way around, these tools can actually help many of the organisations to comply with GDPR and other privacy regulations, making sure that whatever the end customer, the actual owner of the data asked to do with the data is being respected.
Ruud Grotens: That's really an interesting perspective, Omri. Omri, we've spoken a lot about general fraud prevention, but for criminals, money laundering and fraud now go hand in hand, right? So, if fraud happens, then we know the next step is money laundering.
Omri Kletter: Correct.
Ruud Grotens: I'd like to shift a bit and talk about money laundering and sanctions compliance. Not so long ago, I saw that according to Kroll's 'Annual Enforcement Review, 2021', it reported the total failure of AML enforcement has rocketed. In fact, it stated that it had reached 2.2 billion US dollars by the end of 2020, and that is five times higher than in 2019.
How can a change in approach to sanctions compliance help organisations avoid becoming part of this statistic?
Omri Kletter: The statistics you are sharing is really mind-blowing and absolutely a strong reminder of the different forces that are acting- or impacting the industry. And I think to a certain degree, a good starting point to think about it is asking yourself why this is happening.
And I've joined a panel recently with some law enforcement leaders in North America, and the way that they framed it was quite interesting. We're all familiar with the famous quote, I think, from Clausewitz, “War is the continuation of diplomacy but with different means.”
And to a certain degree sanction today is the continuation of diplomacy, but in different means. We're seeing dramatic changes or the ability for governments globally to translate their political policy into, “Okay, we are moving from this policy to the other, and the outcome of that, we're adding this country and these entities or whatever into the sanction list.”
So, I think that the magnitude of utilising this tool as part of the global diplomacy has increased, and enhance, I believe- and I think that was, at least, the point of view on that panel, we're seeing more and more interest and more and more focus on injecting or enforcing, I would say, these policies.
And again, this is not only about banks. I can tell you from our point of view, and Bottomline is very global, we have data centres in Asia, in Switzerland, in the US, in the UK, I can tell you, there are certain industries that are being more and more scrutinised, maritime industry, gas and oil industry.
We know that these specific industries and more, by the way, pharmaceutical and other areas where we're seeing the money movement or the ability to ensure that the money moves only from legit point A to legit point B is more and more critical. So, I think this is a key element.
And then maybe tying back to what I said around the changes that are much more rapid, that's connected to where we started the discussion, the importance of having a cloud-based solution when you can actually change much faster. The ability to bring your own- to configure your own customised logic, customise your ideas, and customise sometimes entities.
This is very critical if you want to make sure that your organisation is not yet another organization that will pay these fines and be liable, as the Kroll 'Annual Enforcement Review' tells us very well.
I'm happy to hear your point of view, but I think that this is the starting point.
Ruud Grotens: Your commentary has been very engaging and insightful for me, and I hope for our listeners as well. We have covered a lot of ground, but before we close out, could you share three key take-aways for our listeners?
Omri Kletter: Thank you, Ruud. And I'll start with the importance of collaboration and convergence. To a certain degree, we alluded to that, about the fact it's not only banks, it's corporates. Working together is critical, and this is also within the organisation.
'Within the organisation' means that the topics of fraud and financial crime are not relevant only for the fraud and compliance officer. We want to make sure that we are helping also the payments operations team in their journey so they can help internally.
So collaboration in the organisation and in the industry, I think it's important, and I think you alluded to it very well, to be more aware about increasing fraud threats that are going beyond the direct payments, so internal threat is definitely there.
And I think we talked about it, there is an opportunity now, it's not only about the challenge. Usually, these podcasts, these events, there are so many challenges, but there is also- I want to underscore there is a great opportunity around simplicity. The ability today to go live within weeks with a joint solution for fraud and for sanction is within reach. And I think there is definitely a perfect storm, and I believe the industry can work together to benefit from it.
Ruud Grotens: Thank you very much, Omri. Chatting to you has been hugely insightful for me and hopefully for our listeners too. Unfortunately, that's all we have time for today, but the Payments Podcast channel and our website, bottomline.com are great sources of information for all things payments related.
Thanks again, Omri.
Omri Kletter: Thank you.
Ruud Grotens: Thank you for your time, and thank you to our listeners as well.
Omri Kletter: Thank you very much.
END AUDIO
Listen on Apple 
Listen on Soundcloud 
Listen on Spotify 
