A special report published early last month by a consortium of investigative journalists, showing how financial criminals siphoned billions in ill-gotten gains from Russia through several Western banks, represents just the latest global money laundering scheme exposing gaps in anti-money laundering practices worldwide.

The exposé, published on March 4 by the Organized Crime and Corruption Reporting Project (OCCRP)—the group behind the “Panama Papers” and “Paradise Papers” leaks—and Lithuania news outlet 15min.It shows how a complex, interconnected network of at least 75 offshore companies were able to siphon $4.8 billion in ill-gotten gains from Russia through several Western banks between 2006 and 2013.

“The data, which was compiled from multiple sources, represents one of the largest releases of banking information ever, involving more than $470 billion sent in 1.3 million leaked transactions from 233,000 companies,” according to the OCCRP’s report.  At the center of the so-called “Troika Laundromat” scheme is Troika Dialog, once Russia’s largest private investment bank.

But while Russia may be the one with the dirty laundry problem, it’s Europe’s financial system that needs to clean house, as many of the banks implicated in the scheme for having suspicious accounts or links to Russia are European banks. Among them include Germany-based Deutsche Bank; Danske Bank Estonia; Sweden-based Swedbank; Austria-based Raiffeisen Bank International (RBI); Finland-based Nordea Bank; Amsterdam-based ING Groep; Belgium-based KBC Group; and Crédit Agricole Group.

All these banks at one point or another have already been in regulatory trouble for having lax AML controls in place—many on multiple occasions and many facing hundreds of millions of dollars in fines. Deutsche Bank, for example, paid $630 million in fines to U.S. and U.K. authorities in January 2017 for failing to spot artificial trades that were used to launder $10 billion out of Russia.

Many of these same financial institutions, however, also have hundreds—if not thousands—of full-time employees dedicated exclusively to AML controls. They also continue to spend substantially more on AML compliance-related activities than just a few years ago.

Thus, it’s no surprise that some of the banks implicated in the Troika Laundromat scandal have been quite verbal about defending their AML compliance programs following the latest revelations. “Our compliance processes are robust, and our systems are state-of-the art,” said RBI CEO Johann Strobl in a March 13 earnings conference call. He noted that RBI’s head office alone has roughly 80 employees involved in money laundering prevention.

Nonetheless, RBI has set up a task force “to analyze the individual client relationships on a case-by-case basis, particularly with regard to the historical issues mentioned in the media,” Strobl added. “So far, our chief compliance officer and his team of internal and external experts have not been able to identify any anomalies,” he said, adding that RBI cannot provide any information about the individual transactions or customer relations due to confidentiality considerations.

The task force expects to complete its work within three months.  “From today’s perspective, we firmly believe that no punishable offence was committed on our part and we do not expect any penalties to be imposed on us,” Strobl said.

Why take the chance?

Given that many global banks continue to repeat the same compliance mistakes time and time again, even as they continue to invest heavily in AML compliance efforts, several critical questions deserve attention: Why do widespread money laundering schemes continue to slip through the cracks? At what point are AML compliance measures enough? How much responsibility do the banks bear versus regulators?

“From today’s perspective, we firmly believe that no punishable offence was committed on our part and we do not expect any penalties to be imposed on us.”

Johann Strobl, CEO, RBI

Part of the problem is that criminals are always several steps ahead. “Money launderers are finding new and advanced ways into hiding, washing, and laundering money, and finding gaps within the financial institutions with whom they are a customer,” says Jason Tran, director at ACA Telavance, an AML consulting firm. “It’s evident by the Troika Laundromat revelations that there are too many entry points within a bank.”

Some of those key entry points are explored in more detail below:

Trade-based money laundering. As with many Laundromats, trade-based money laundering involves criminals moving substantial sums of money across borders by fraudulently manipulating the price, quantity, or quality of a good or service on an invoice submitted to customs. “The bad guys count on the chances of them being caught as being very low, because they’re able to hide within that sea of otherwise legitimate transactions,” says Art Middlemiss, former director of the global anti-corruption program at JPMorgan Chase and now a partner at Lewis Baach Kaufmann Middlemiss.

“In an ideal world, what you would have a bank do is drill down on each and every transaction to make sure that the transaction is conducted for precisely the purpose that was written down on the wire transfer,” Middlemiss says. That is simply not possible, however, given the trillions of dollars in transactions that banks handle each day.

“So, it’s a fallacy to say that a compliance officer is going to be able to drill down to each transaction to find whether or not that one has a legitimate purpose or not,” Middlemiss adds. “It is possible to do with respect to any individual transaction. It is impossible to do with respect to every single transaction.”

Correspondent banking relationships. Banks rarely have complete transparency into their foreign banks’ customers, posing a compliance risk. Take Deutsche Bank as just one example. “In the correspondent banking business, Deutsche Bank’s clients are so-called respondent banks. It is first and foremost the task of the respondent bank to check its customers in accordance with the applicable KYC regulations,” a spokesperson for Deutsche Bank tells Compliance Week.

“In our role as a correspondent bank, we have only limited access to information about the customers of the respondent bank,” Deutsche Bank says. “Consequently, as a correspondent bank, we must carefully review our respondent banks, monitor the transactions we process, and report any suspicious transactions.”

But even those AML processes are far from bullet-proof. “The things that keep you up are the things that you don’t know and the things you can’t know,” Middlemiss says. You can put in place policies and procedures that require asking the right questions, but there is never any guarantee that you’re going to get back the full or accurate answer—and you have to rely upon that, he says.

Anonymous shell companies. Simply put, without greater transparency around anonymous shell companies, money laundering activities will continue. “As long as we tolerate corporate vehicles that don’t require transparency as to the ultimate beneficial owner, it’s impossible for the banks to do the job that has been outlined for them by regulators,” Middlemiss says.

Complicit employees and the banks that allow illegal activity to happen in the first place. Toxic corporate cultures and complicit employees are the biggest risk of all. Compliance officers in the financial services industry can learn a lot from the missteps of Danske Bank, in particular. According to a root-cause analysis into its Estonian branch, the bank concluded that “several major deficiencies” in controls and governance made it possible to use Danske Bank’s Estonian branch for criminal activities, including money laundering.

Danske Bank’s analysis pointed to three major deficiencies, in particular: the lack of a proper culture for, and focus on, AML at the Estonian branch; inadequate governance in relation to compliance and risk; and management follow-up and control were highly dependent on local country management.

Advanced AML practices

Defending against global financial crimes like Troika Laundromat is not impossible but requires both a dynamic and integrated approach to AML compliance. That begins with practicing proper Know-Your-Customer compliance, beginning at the onboarding stage—but in a far more intelligent way than AML compliance practices of a yesteryear.

Many solutions today enable financial institutions to perform even greater enhanced due diligence by automating the screening and detection process with better accuracy, uncovering previously unknown risks, identifying linkages, and building upon a customer’s risk profile to help financial institutions make smarter decisions, faster.

High-quality AML risk data has traditionally been difficult to spot because it’s mostly made up of large volumes of unstructured data spread around the world. From a screening and detection standpoint, “what you need is the ability to pick up on all those data points,” says Livia Benisty, head of financial crime at ComplyAdvantage.

Today, advanced analytics—like artificial intelligence (AI) and machine-learning technologies—offer banks new and exciting ways to perform enhanced due diligence in ways that were once impossible. For example, unstructured data—social media, video surveillance, facial recognition software, and more—can now be consolidated with structured data and analyzed together to identify patterns and anomalies that may go undetected by the human eye.

Traditional AML practices that rely on static, name-matching criteria and other identifiers—such as date of birth and geographic location—create too many false positives and depend too heavily on human judgment calls. Most financial criminals have multiple passports in multiple names. “They can totally mask their identity,” says Kenneth Rijock, a former money launderer turned financial crime consultant.  “Names are totally irrelevant now.” Nor is it sufficient for compliance officers to simply check a Politically Exposed Persons database like World-Check, he says.

Today’s best-in-class AML compliance programs are those that look for the criminals, not just questionable transactions—but that requires using enhanced customer profiling. Some technology firms, for example, provide enhanced background checks by using AI to carry out facial recognition on photos and passports/identity documents and data integration with a range of systems to carry out background and criminal record checks.

Advantaged analytics affords the same capabilities for assessing geographic risk—by rating countries based on their risk of money laundering activity, for example. It’s a question of knowing what risk a bank is willing to except, Middlemiss says, “and if it does business with a particular jurisdiction, it should know what the risks are in that jurisdiction.”

Financial institutions with best-in-class AML compliance programs understand that preventing money laundering is not just about complying with rules and regulations, but rather using information proactively and intelligently to reduce their risk. “AI and machine-learning are going to be essential in how we move forward,” Benisty says.

To fight money laundering activity effectively, however, will require greater coordination from government bodies, as well. In Europe, the Troika Laundromat report has renewed calls by members of the European Parliament to set up “as a matter of urgency” an EU-wide anti-money laundering supervisory authority, stated a March 14 letter to European Commission President Jean-Claude Juncker. The letter was signed by 21 members from 14 EU countries—including the United Kingdom, Germany, Belgium, Finland, Sweden, Poland, Lithuania, Latvia, and Estonia.

“We are extremely concerned about this unprecedented scandal following previous Panama Leaks and other cases which have revealed the EU’s vulnerability and unpreparedness to fight financial fraud and money laundering,” the letter stated. “We acknowledge the efforts the Commission has been taking, such as the Fifth Anti-Money Laundering Directive and strengthening of European Banking authority. However, this case shows that much more still needs to be done.”