Identity verification and KYC (Know Your Customer) protocols are key components of anti-money laundering programs. Sometimes, however, identity verification offers a false sense of security, both for reasons that accord with common assumptions, and the opposite, with risks “hiding in plain sight” as criminals use your services even when – and, sometimes, because – you comply with rules.
In a recent discussion, a former security consultant recounted a service offering fake identities for around $1,000 that could “run rings around any system that relies on it”. At the time, “good” fake passports sold for around $1,500, with real ones under $15,000. With online checks increasingly common, the market for scanned fakes is likely bigger by orders of magnitude, not least because, at the time he was involved, digital passport scans could be had for under $20. Add a selfie and a scanned utility bill or driver’s license for less than $100.
Prices vary, but the market for scanned passports for KYC/AML accords with assumptions that criminals try to hide their real identity. Many on-boarding teams these days know how to spot fakes, and circumstances when perfect looking scans might be dodgy.
The opposite, in our mental blind spot, can be more difficult. If we believe that criminals want to hide and honest people are happy to provide details, oftentimes, neither might be true.
Criminals using their own name runs counter to expectations that they prefer to hide. Also, their documents are real, and other red flags may be harder to spot.
Worse still when regulators fall into the trap of thinking that identity checks stop crime.
In empirical research exploring how criminals use financial enablers to launder illicit funds in real estate, I found that professionals were often lulled into a false sense of security after checking client identity documents.
Criminals often appeared delighted when asked for ID, with anti-money laundering laws a boon for money laundering. Not hiding in the shadows, conducting transactions in cash, trying to stay hidden. It is better to be seen as a property developer than a drug-dealer, apparently.
And more lucrative. After purchasing their first few properties, it became easier for drug dealers to launder ever larger amounts, thanks to KYC and ID checks.
On another occasion, in a different industry, with new technology being introduced the regulator added a security measure requiring identification in certain circumstances.
Presumably, the regulator believed that criminals would be deterred. Businesses duly changed their processes to check identities, as required.
Previously, for various reasons, it was hardly feasible to launder through that channel. Criminal gangs were content with adjacent parts of the industry. Nor did the new technology change this, except for the regulator’s new identity requirement.
Virtually overnight, criminals had a new way to convert retail drug takings into bank deposits, courtesy of the regulator’s identity verification rules. I didn’t have access to the last line of data to confirm definitively, but last I checked, over $100 million appeared to have passed through a new laundering operation that was not possible without ID and KYC.
With banks’ training and software scenarios based on rules handed down by regulators about “known” criminal methods (with only criminals and empirical researchers aware of “unknown” methods) many ways of laundering have long been invisible to banks. (A colleague in a big US bank with systems calibrated mostly for anomalies remarked that criminals can slip past “known” methods too, simply by not doing anything differently). Likewise, laws based on international standards, in effect assumed to cover all eventualities, rather than empirical evidence, allow criminals to ply their trade undisturbed. (Doubly so, if bank boards and politicians are lulled into a false sense of security by assurances of compliance).
In any event, it seems a safe bet that “look out for money laundering channel created by anti-money laundering regulator” won’t appear in bulletins to banks anytime soon – adding another hole in anti-money laundering’s Gruyere-like rules/reality gap.
Little wonder, perhaps, that anti-money laundering rules have proven astonishingly ineffective, with more-of-the-same “solutions” to profound failure and perennial document leaks (“the Paradox Papers”) fixing nothing while generating an endless stream of cash for media outlets, organized compliance, and organized crime.
So, to get ahead of the game, staying on top of the rules is not enough. Empirical researchers and criminals can attest to plenty of “dark space” invisible to rules, offering criminal assurance and a false sense of “compliance” security. It can be difficult to think differently, but if you need to verify identity or proof of funds – or if you’re a regulator thinking about new processes to “stop crime” – sometimes it pays to think the opposite of what you know.