World Money Laundering Report

Algorithms aren't omnivores

Nigel Morris-Cotterill

In 2015, the UK's Financial Conduct Authority fined Barclays Bank its then largest penalty for failings in its financial crime management obligations. Barclays had been one of the first major banks to install company-wide money laundering management software. But it doesn't help when those within the bank don't feed it the information it needs.

World Money Laundering Report - Articles

Barclays bought the product from the company that was then called SearchSpace. Even though this was long into the age of microcomputers, even laptops more powerful than the computers that designed the Space Shuttle, a room in a low-key Barclays building just outside Birmingham was filled with Big Blue IBM cases to process only data related to money laundering. Industry rumour was that the cost had been about GBP30 million although none of the parties seemed to have confirmed that. The amount of data it could crunch was in numbers that were so big they were meaningless.

SearchSpace was at the cutting edge of so-called Artificial Intelligence, having started in the computing department at University College London (UCL). In their offices in a trendy office conversion in a trendy part of central London were a million conceptual miles away from the science fiction-like room at Barclays which was more like an operating theatre prepped for action. The SearchSpace office had tall windows, white painted metal staircases and desks that were covered in a variety of paper. It was full of people writing formulae on walls, playing music on full-size acoustically correct headphones with their feet on desks, all the signs of mathematical genius. There were PR and sales people, almost breathless in their anxiety to explain how clever their people were, and how algorithms were the way forward to understand financial crime. They were excited: it could collect data on millions of transactions each day, it could cross-refer data from those transactions, it could take in information from the newly launched World-Check whose tireless creator, David Leppan, talked to anyone and everyone that he could build even tiny relationships with. Jason Kingdon, SearchSpace's CEO, was the only one in clothes that looked like he worked in an office: not that the others were scruffy but slacks and open-necked shirts were the norm. Even so, Kingdon's mop of hair and easy going manner and perma-smile marked him as different from the men in suits that passed his door.

This was the genesis of big data but it lacked something: it lacked an understanding of the kind of data that humans understand and it lacked a full understanding of how banking in particular and finance in general works. In short, the office was full of clever people, all looking at things from the same perspective: if our algorithms are fed this, the computer will do that but it needs clear and unequivocal data because it can't digest things we don't tell it to expect.

Barclays reckoned that the room full of Big Blue boxes would last them five years and that a process of review of software and hardware would start about eighteen months before that.

Five years in, in 2003, Barclays Capital announced that it was going it alone with transaction and sanctions screening from Mantas. It also used market surveillance tools from Actimize and for compliance modelling, some of which it developed in-house ( Actimize was in use until at least until 2015, and some development was done in Pune, India.

In 2010, it was announced that Barclays was to start to use Temenos (formerly Viveo) "across four locations: the UK, Switzerland, South Africa and the US. The new solution, together with a screening component dubbed Linguistics, is to become Barclays’ global sanctions solution for payments screening." That was to " be used alongside Datanomics’ customer screening software, which the bank purchased last year." Temenos had an important function which had frustrated many in financial institutions and, even airlines: variations in romanised spellings of names transliterated from other scripts. There are, for example, nine variations of Muhammad.

But whatever technology was being used, either it failed or it was not being used properly in relation to PEPs who were active in the bank's systems in 2011 and 2012. The bank was fined GBP19.8 million and ordered to surrender (in that terrible Americanisation that other regulators around the world are seemingly unable to reject, it's called a "disgorgement") a further GBP52.3 million, the profits that Barclays made on a series of deals, some of which were amongst the biggest the bank had ever made in single transactions.

The catalogue of actions that were not done or were under-done by Barclays in order to win and keep what the company, in its in-house argot, called "elephant deals" is long. This one, set against the usual threshold for deals to get that name really deserved a name of its own: elephant deals exceeded GBP20m. The deal at the heart of the FCA's action was for GBP1,880 million.

Barclays, the FCA found, adopted extraordinary (literally extra-ordinary) policies for the customers involved. First, recognising that they were, in fact, politically exposed persons, it was nevertheless decided that the identities of the customers would never be revealed, even within Barclays. That, Barclays might argue, is the essence of true Swiss Private Banking. But the customers were not doing business with a small, Swiss Private Bank: they were doing business with a global bank in London, a bank that had crowed about its involvement in the Wolfsberg Principles which, cynics said, were nothing more than a declaration that the member banks would comply with the law and have a senior committee, in their private banking divisions, to handle high-net worth individuals. Astonishingly, the deal was that if Barclays failed to keep the identity of the customers completely confidential, Barclays would pay compensation of "up to GBP37.5 million."

The confidentiality provisions meant that Barclays could not apply its financial crime risk assessment and customer identification processes in the various divisions that would be involved in the transactions, even though much of it would involve international transfers. Inevitably, in the absence of a properly thought out and implemented system, it went wrong.

One of the problems identified by the FSA was that it was never clear who was in charge of the business relationships or managing financial crime risks. "specifically, those who approved Barclays' entry into the business relationship had a very poor understanding of the financial crime risks involved and misunderstood what their approval was for," said the FSA. But even more damning it said "Barclays senior management were concerned about the speed at which the due diligence process could be completed, with one manager expressing a desire to "race this through.""

One might think it couldn't get worse, but it can and it did. Barclays followed "a less robust process than it would have done for its other business relationships that had a lower risk profile... failed to adequately establish the purpose and nature of the transaction and did not sufficiently corroborate the customers' stated source of wealth and source of funds for the transaction. These were fundamental due diligence checks which Barclays should have carried out... Barclays failed to monitor appropriately the financial crime risks associated with the business relationship .. missed identify and remedy gaps in its understanding of those risks."

It also failed in record keeping.

Clearly, no matter what technology was in place, and Barclays had invested huge sums in various forms of tech, none of it matters if it is not fed the correct and all relevant information. Not only did Barclays starve the tech of information required (had it not done so, exception reports would have been produced and therefore information would have leaked) but it also gave the systems false information: "Those who were identified on Barclays’ systems as having given the approval referred to in paragraph 4.23(a) above did not know that they were named on Barclays’ computer system as having given his approval. They did not accept that they had this responsibility in interviews with the Authority. " Moreover, senior management, who have the ultimate responsibility for so-called Enhanced Due Diligence over-relied on Legal and Compliance to evaluate the data that was made available - and that was not full or accurate.

The bottom line is that the bank while not accused of laundering per se, by its actions demonstrably failed to take action intended to reduce the risk of laundering.

We say the bank and its senior staff were lucky: there appears, on the face of the FCA's report, ample evidence for a criminal conviction. No bank employee or director was subjected to individual penalty.

And the reality is that those algorithms are now far more complex, far more unwieldy and handle a far wider variety of data than before: but only if they are given it and if what they are given is true.

FCA Notice:…