4. Definitions
Risk - the quantitative assessment of the likelihood of unfavourable
events occurring, and the likely loss resulting from it.
Uncertainty - the unquantifiable portion
Governance - making a strategic decision on how much risk a firm
should take on
Compliance - enforcement
4
10. Vulnerability Threat Harm Risk
Vulnerability
Loss of balance
Threat
Crocodiles
Harm: Death by crocodile (by loosing balance and falling into the crocodiles)
Risk : The likelihood that the tightrope walker will loose balance, succumb to the threat and suffer the harm 10
11. Reduce risk…address vulnerability
Vulnerability
Loss of balance
Threat
Crocodiles
Harm: Death by crocodile (by loosing balance and falling into the crocodiles)
Risk : The likelihood that the tightrope walker will loose balance, succumb to the threat and suffer the harm
Improve balance
11
12. Reduce risk…address threat
Threat
Crocodiles
Harm: Death by crocodile (by loosing balance and falling into the crocodiles)
Risk : The likelihood that the tightrope walker will loose balance, succumb to the threat and suffer the harm
Vulnerability
Loss of balance
Remove Crocodiles
River
Harm: Death by drowning (by loosing balance and falling into the river)
12
13. Terms are often confused…
Risk
Vulnerability
Harm
Threat = anything that can exploit a vulnerability, intentionally or
accidentally, and cause damage (i.e. source of harm)
= the damage / deleterious effect caused by a threat
exploiting a vulnerability
= the potential for harm as a result of a threat exploiting
a vulnerability
= a weakness or gap in protection
13
14. Remember…
• Threat with no vulnerabilities = no risk
• Vulnerability with no threat = no risk
BUT
• We don’t know all the vulnerabilities and threats
AND
• Is context specific
14
17. Big Data
What’s new?
What is it?
Big Data = Data
What’s new?
Time series of reliable (organisational level) data
• helps us robustly answer questions
• as we can control for unobserved ‘heterogeneity’
Combining various (open) data sources
• allows us to create novel and powerful insights
• Spatial dimension of data extremely valuable
17
18. Big Data
What to use it for?
Gaining insights
Optimising Systems
Automation of tasks
(but human always
makes the last decision)
Predicting outcomes
(at times)
18
19. Big Data
History
Issue: data collected for recording and documentation, not analysis
Data ‘internally’ inconsistent, and often incomplete
1985+ Financial data records / ERP accounting systems
1994+ Widespread use of ERP systems in organisations, and Email/Internet
2000+ Widespread digitisation of information
2004+ Systematic collection of (all sorts of) data series, dramatic increase in
data quality
19
20. Big Data
Data quality
Organisations have good data
• On average
• GDPR might be used as an excuse
• Be very careful about the IT service
contracts you write
• You need to be able to extract data
easily, freely, and frequently (dynamic)
• Security is often used as an excuse
20
24. Understanding Methods
• Carefully specified regressions
• Ability to predict
• Established method
Causation
• Machine Learning (Lasso, supervised learning,
tree models [Random Forest])
• Good for
• Ranking of influencing factors
• Predictions (ceteris paribus)
• Requires very large samples
Correlation
24
25. AI
A concept, not reality
Only two functioning unsupervised
learning / self-learning applications
Very clear rules
Clearly observable and unambiguous
movements
Clearly defined space (physical and
options)
Ideal for permutation ‘game’
25
28. ‘Big Data’ – the not so nice side
Enormous economies of scale and scope lead to
natural monopolies
Private providers will always exploit it to the
fullest (Google, Facebook, … )
o trying to lock people into dependencies
o have a weak moral compass
… to the degree that they are now destroying
their own ecosystem in Silicon Valley
We are terribly naïve about the intent of some
of these firms; regulation and contracts will only
provide limited security
28
29. ‘Deep Fake’
• Faces and full bodies can now
be generated in every image
and movie
• What’s real?
• People to watch (amongst
others): Sarah Atkinson
(Kings) or Hao Li (U Southern
California)
29
34. Compliance
• Compliance with law and regulation ‘continuous’
• Compliance costly
• Ultimately responsibility of board
• Issue of enforcement (10% error for speed checks)
34
35. Compliance
• Compliance costly
• Compliance function can get very big, with little value added
• Whistleblowing
• Non-compliance also costly
• Fines
• Reputational damage (naming and shaming)
• Trade-off between cost and benefits
• Interesting cases
• Danske Bank
• B737 Max
• BP (Deepwater Horizon)
35
36. Compliance Theory
• Compliance adds a layer of complexity to agency problem
• Regulator is now the ‘highest principal’, above the board, then management.
• Issue of plausible deniability (shareholders care about profits)
36
37. Comply or Explain
• A British way to deal with the ‘rule-taking’ version
• Adopted throughout Europe
• A very good idea in principle, but in practice most companies just
comply
• Explanation often meaningless
37
38. Governance, Risk, and Compliance (GRC)
• Compliance one function with governance, risk management, and IT
governance (GRC)
• Aims to enforce risk limits and accountability within the organisation
• IT constitutes major operational risk
38
39. Three Lines of Defence
1. Operations
2. Compliance and Risk Management
3. Internal and External Auditors
• Board of Directors
39
40. Environmental, Social, and Governance (ESG)
• Influence the ethical impact of a company
• Part of the investment decision process
• Selected ESG Issues:
• Human Rights
• Carbon Emissions
• Diversity
• Employee welfare
• …
40
41. Corruption
• Petty corruption
• Grand corruption
• Political corruption (bakshees, or major bribes)
• Small favours surprisingly ‘successful’
41
43. Issues with AML Initiatives
• Incredibly expensive for society
• Cumbersome for banks, their staff, customers, and intermediaries
• Very ineffectual
• We might just find 1% of ML payments
• Strong bias to detect the small, and unsophisticated ‘criminals’
• Very profitable for consultants, TR, etc.
44. An Example
From Europol
• A payment processor for drug payments
• Collects cash from street dealers throughout Europe; around €1bn
annually
• Counts it, launders it through European banking sector, and sends it
back to the Americas as ‘clean’
• Fee: About 6-7%
• Origin: Lebanon, with likely links to Hezbollah
45. A Reminder
Sources of funds, classified as ML
1. Proceeds of (Serious) Criminal Activity
Drugs. Human Slavery. Child Sexual Exploitation. Racketeering. Fraud. Cyber.
2. Embezzlement of State Funds, Tax Evasion, and Serious Corruption
3. Avoidance of Currency Controls (China)
4. [Terror Finance]
46. Organised Crime
• ‘Clean’ the proceeds of criminal activity
• Form of ML with direct impact on society
• it encourages criminal behaviour
• once proceeds get re-invested in the society will affect asset prices and drive
legitimate business out of the market (simply as the price pressure is not the
same).
• as we know from Sweden, organised crime and jihadi groups are increasingly
intertwined, hence organised crime might finance future terror related
activities in our backyards.
46
47. Embezzlement, Tax Evasion and Serious Corruption
• Typically involves large amounts coming from states with weak
institutions.
• Little incentives for institutions in intermediate countries, like
Denmark, to get involved.
• Given that the amounts are very large, these activities are highly
profitable for the intermediary financial institutions, and so ‘helpful’
to improve the financial stability of that country.
47
48. Avoidance of Currency Controls
• Again highly profitable
• Main source countries Russia and China
• Saipan in the Pacific
48
49. Terror Finance
• Practically undetectable by looking at the finance stream
• Alternative detection mechanism is for banks to track IPs
• Classical police intelligence work probably better value for money
49
50. The Legal & Institutional Framework
In need of restructuring
1. FATF (Born out of G7 in 1989): 40 rules
Rules written by lawyers for lawyers; very difficult to operationalise
Unclear how effective. In urgent need of an update
2. Financial Investigation Units (FIUs)
Very under-resourced, as political priorities are with ‘classical policing’
High staff turnover, as Banks poach aggressively
Staffed by police men / women, with good investigative skills
Very short time window for investigation / decision on STRs
3. Banking Regulators
Very limited power
Branches vs Subsidiaries (remember AIG Banque – USD 180 billion bailout)
In the future, the FIU should become part of the regulator, who will pay for it
52. Data Infrastructure
The Current Issues
• Far too much work is done manually, which is expensive and cumbersome,
and leads to inconsistent outcomes.
• Detection algorithms focus on within account consistency, not across (very
easy to circumvent)
• Commercial algorithms lack an outcome variable (prosecution/conviction),
and hence are trained to detect a small number (about 40-50) of known
cases
• Substantial body of literature on SOC, but typically ethnographic,
documentary, or biographic in nature, often picked up by the Media, and
Hollywood.
• These leads to a popular conception based on anecdotes rather than
empirical work
53. Data Infrastructure
The Current Issues
• The data revolution hasn’t arrived
at the ML world
• Much of the open source datasets
do not get exploited adequately
• Sanctions lists will be provided as
open-source, including much
better algorithms
• For SOC, the police datasets are
very rich, providing a lot of insights
• There is value in the payment data
54. The Way Forward
What am I working on?!
• We need to ‘mechanise’ much of the manual labour
• We need to focus on the ‘big problems’; let’s not throw the baby out
with the bathtub (Trust within the Nordic Societies)
• The algorithms must be tailored to the issue type (1 vs. 2-5). Terror
finance is undetectable with algorithms
• On SOC, I have access to the UKs Organised Crime Group Mapping, and
will have access to the population of STRs. Sanctions Data will be made
available as an open platform, with much improved search algorithms.
Company registers will be cross-checked mechanically using
OpenCorporates. Plus a big ‘goodie’ …
55. The Way Forward
What am I working on?!
• For 2-5, we will need to work
much closer with the Financial
Regulator to observe large
payment flows.
• We will need to strengthen the
reporting (STRs) of large sums to
intermediaries.
56. The Way Forward
Institutions
• Responsibility for anti-money laundering investigations should move from
the FIUs to the supervisory bodies, in our case the Danish FSA, and
combine all activities under ‘one roof’.
• The FSA should pay for all activities, including the investigators who will
work alongside and in close collaboration with the officers from the FSA.
• The financial supervisor understands banks much better than a FIU ever
can, has access to their data, should have the empirical skills, and is much
better than resourced than the Police Service.
• This will require that the FSAs are reorganised along clear responsibilities,
and without conflict of interest.
57. The Way Forward
Proposed FSA Structure
• Regulatory and Policy (pre-legislative work)
• Inspection (inspections into bank’s compliance with regulation)
• Investigations (investigations under strengthened legal guarantees and
legal controls, handed over from the Inspections Unit)
• Enforcement
59. History
• Founded 1871
• Rescued first time in … (?)
• Rescued second time in 2008/9 (state guarantees & capital injection)
• Purchase of Baltic Branches from Finish Sampo Bank in 02/2007
• About 2.8m retail (personal & business) customers (v. small; HSBC 39m)
59
60. Events in Estonia
• Danske Laundromat 2007 – 2015
• 2007: 1,550 ‘suspicious’ non-resident customers
• Over the period, around USD 230 billion (based on 6,200 customer
reviews, out of about 15,000 in Estonia) suspicious transactions
(impossible to proof that it is ML)
• Mechanism: (Fictious) shell companies; mirror trades; fake trade
invoices
• SwedBank: Much bigger share of the Baltic Market (non-resident
population unclear)
60
61. Management and Supervision Issues
• Thomas Borgen was Head of International Banking (2009-2013)
• Promoted to Danske CEO in 09/2013 due to ‘stellar’ performance of the
Baltic business (similar to Brigitte Olsen at Swedbank)
• A number of red-flags within the bank (internal auditor reports)
• Equally, a number of concerns were brought to the attention to the
Supervisory board (via Russian Central Bank, Estonian Supervisor,
Whistleblower)
• Ernst & Young accused of criminal negligence / cover-up; potential
further political ‘liabilities’
• ‘Last’ / fail with regard to supervision (FATF assessment in 2017)
61
Interested in when where and why public is endangered
Fits the interests of both police forces and HMIC
GMP’s purpose “Protect society and help to keep people safe”
HMIC’s purpose “Promote improvements in policing and make everyone safer”
Interested in when where and why public is endangered
Fits the interests of both police forces and HMIC
GMP’s purpose “Protect society and help to keep people safe”
HMIC’s purpose “Promote improvements in policing and make everyone safer”
Interested in when where and why public is endangered
Fits the interests of both police forces and HMIC
GMP’s purpose “Protect society and help to keep people safe”
HMIC’s purpose “Promote improvements in policing and make everyone safer”
I say risk
You say
Threat
Harm
Risk is a prognosis
Context
Risk is a prognosis
Context
Risk is a prognosis
Context
Interested in when where and why public is endangered
Fits the interests of both police forces and HMIC
GMP’s purpose “Protect society and help to keep people safe”
HMIC’s purpose “Promote improvements in policing and make everyone safer”
Interested in when where and why public is endangered
Fits the interests of both police forces and HMIC
GMP’s purpose “Protect society and help to keep people safe”
HMIC’s purpose “Promote improvements in policing and make everyone safer”
Interested in when where and why public is endangered
Fits the interests of both police forces and HMIC
GMP’s purpose “Protect society and help to keep people safe”
HMIC’s purpose “Promote improvements in policing and make everyone safer”