Written by Simone Jones and Bill Coffin on Friday August 11, 2017
Imagine a future in which cash doesn’t exist, where instead of fumbling around for loose change in the bottom of our bag, all that was needed was to look into an iris scanner or scan a fingerprint. Automatically linked to our accounts, the payment would be deducted from a default account. In a world without cash, where every payment or transaction is linked to an individual, would it be the end of money laundering as we know it?
Utopia or dystopia?
Fingerprints, eye scanners and facial recognition solutions are increasingly being touted as the future. No longer the need to remember passwords or PIN codes—we could just use our own bodies to access an almost limitless amount of services, including bank accounts.
Replacing cash with fingerprints certainly seems to belong in the realm science fiction, but research by Nationwide Building Society showed that 53% of UK respondents ‘believe they will be able pay for items using their thumbprint’ by 2037.
Anonymity is the primary goal of a money launderer, who is looking to distance themselves and their cash from their criminal activities. The three stages of money laundering—placement, layering and integration—is traditionally used to describe how money laundering works. Conceived at a time when money laundering only occurred through drug trafficking, the description has its limitations in today’s world, where not every crime generates physical cash. But the description endures because it is still relevant: cash continues to be widely used by criminals.
The anonymity that cash provides, and the lack of an audit trail, makes it difficult to link cash to criminal activities. Controls such as know your customer (KYC) requirements look at decreasing that anonymity. A future in which biometric authentication replaces cash may seem like a dream come true for those tackling money laundering, but cash isn’t going anywhere soon. So what other roles can biometrics play in the fight against financial crime?
Identity cards can be forged, passwords can be hacked and bank details stolen. The appeal of biometrics is clear: by using physical or behavioural characteristics unique to that individual, you can be certain that the individual you are dealing with is the correct person.
Increasingly we are seeing biometrics used in our daily life; fingerprint authentication alone is already used to unlock smartphones (iPhone), grant theme park admission (Walt Disney World), and unlock car doors (Jaguar Land Rover). Biometrics is often associated with tackling fraud, and with identity fraud reaching record levels in 2016 and annual fraud losses estimated to be £193 billion in the UK, solutions to deal with this issue are high on the agenda.
An early adopter of biometrics in the UK was Atom Bank, but the trend has continued. TSB recently announced that it will be introducing ‘iris recognition’ to allow access to accounts on mobile phones, sitting alongside the current capability to use fingerprints on enabled devices. HSBC have implemented Voice ID for their telephone banking service, allowing customers to create their own ‘voiceprint’ to authenticate themselves, replacing security numbers or passwords.
The Monetary Authority of Macau is stepping up its KYC requirements by requiring measures to verify a customer’s identity through facial recognition at ATMs. Mainland China Union Pay cardholders can no longer withdraw funds from ATMs without facial recognition.
The ATM controls will ensure that banks are able to actually see, and verify, who is withdrawing the money. It’s not just money laundering that the requirements in Macau are looking to combat – they are driven in part by China’s concerns over capital flight. According to data compiled by Bloomberg, $816 billion left China last year, with Macau seen as the main exit point.
While biometrics are rapidly being adopted for authenticating existing customers, the role in verifying the identity of new customers is also evolving.
Biometrics is playing a role in India’s adoption of Aadhaar, a 12-digit random number which is linked to not only an individual’s name, date of birth and address, but also ten fingerprints, two iris scans and a facial photograph. From December 2017, Aadhaar must be obtained when opening a bank account or conducting financial transactions over Rs 50,000. Biometrics is used to ensure that only one Aadhaar is issued to each individual, and banks will authenticate against the 12-digit number, as opposed to a facial recognition scan. (Bear in mind that in 2016, India took the extraordinary step of banning the use of 500- and 1,000-rupee notes, effectively removing some 80% of the country’s cash from circulation. The move was to battle corruption, but clearly, a technological solution to help secure cashless transactions is needed as well.)
The idea of governments obtaining this type of information isn’t always met with open arms. In the UK plans for a National Identity Register (NIR), which included collecting a face, iris scan and fingerprints, were scrapped amid a number of concerns, including that Britain could be sleepwalking into a ‘surveillance state’.
Governments aside, there are other ways to use biometrics for customer identification and verification (ID&V). Companies are providing solutions such as Safran Identity and Security and AuthenticID to simplify the process. The solutions utilise ‘selfies’, allowing customers to take a picture of themselves and their identity documents in order to complete the ID&V stage of account opening.
Privacy concerns remain around the collection, storage and use of biometric information. In the EU it will be classified as a ‘special category of personal data’, falling under the requirements of the General Data Protection Regulation (GDPR). The ethical and privacy issues are a huge subject in their own right and need serious consideration.
Other issues include the security of these measures. The individual nature of biometrics is the attraction – only you have your voice. However reports have been made of a twin being able to access their sibling’s bank account that was protected by voice authentication. The fingerprint scanner on a smartphone have been tricked by ‘master fingerprints’ and the iris scanner in the Samsung 8 phone has been circumvented by a high definition photo and curved glass.
This article started with a tongue-in-cheek look at a future without cash. Realistically, even in a utopian cashless future, criminals would find an alternative method of exchange. Just as nature abhors a vacuum, criminals will find a way to exploit vulnerabilities.
In a world that seems to be constantly changing, it can at times seem overwhelming for AML professionals. Not only are we seeing new payment products and services, but money launderers and criminals are continually developing their tactics. We are also witnessing a number of new solutions which are looking to mitigate risks in a cost effective way. Often lumped under the banner of ‘FinTech’ and ‘RegTech’, it can be challenging for lay people to really understand the technology underpinning these solutions.
It’s important to remember the basics: do you understand the financial crime risks to your business? Have you got proportionate controls in place to mitigate or manage the risk? Do you understand both the effectiveness and the limitations of the controls? No matter what methods are used by criminals or the controls used by firms, these are the simple and fundamental questions that AML professionals need to understand.
This article was brought to you by ICA in conjunction with Compliance Week.
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.
Help and support
Alternatively contact us on: +44(0)121 362 7534 / email@example.com (Qualifications)
or +44(0)121 362 7747 / firstname.lastname@example.org (Membership)
or +44(0)121 362 7657 / email@example.com (Assessment)
or +44 (0) 121 362 7503 / firstname.lastname@example.org (End Point Assessment)