Managing financial crime risk in digital payments

The five pillars for fighting financial crime are designed to capture the inherent strengths of PSPs and
build on lessons from the experience of industry participants. Using mainstream and advanced
technological capabilities, PSPs are well positioned to challenge the standard anti–financial crime
approaches and reengineer ineffective industry practices. The staged rollout of this journey begins
with a risk assessment and the definition of the risk appetite before it proceeds through the fuller
set of actions:

1. A tailored risk assessment driving risk appetite

A tailored risk assessment of the specific risks emerging from the business model is needed to drive
a well-articulated risk appetite. PSPs and other service providers to consumers and merchants need
to identify the specific potential risks they face and build the appropriate internal infrastructure to
protect their business. Each PSP will have to consider the distinct typologies and scenarios of the
financial-crime risks to which their business models are exposed. An e-commerce platform may, for
example, attract fraudulent merchants that collude with customers to transfer illicit funds. Platforms
providing cross-border payments may be used to bypass controls adopted by other institutions.

Effective risk identification entails much more than creating high-level definitions and theoretical
assessments of risks. It should involve detailed, data-driven analyses of the merchants’ role in the
payment value chain, the types and segments of customers within their portfolios, their business
models and product offerings, and their transaction flows in terms of volumes and types. The
analysis can then be used to set the risk appetite and associated tolerance thresholds, to monitor on
an ongoing basis. All of this data should be continuously captured and updated, with triggers
embedded in the controls when divergence from the risk appetite is identified.

2. Segmented client portfolio and transactional flows

Segmentation enables more targeted and differentiated risk management measures. Pursuing the
objective of detecting and stopping prohibited transactions and bad actors often comes at high
operational cost. Enterprises do not have enough resources to monitor all transactions and
customers equally. The idea behind an appropriate risk-based approach is that PSPs should focus
more comprehensively on the small percentage of potentially risky transactions and customers. To
do this, institutions will need to develop more nuanced segmentation models, based on real-time,
up-to-date data to enable targeted detection and a clear ranking of customers and transactions,
from lowest to highest risk. Such a model would consider not only historical transactional data and
static customer records in KYC files but also forward-looking datapoints and external data on bad
actors.

3. Integrated, streamlined controls and activities

PSPs are highly skilled in developing unified infrastructure and integrated teams across risk types—
such as fraud, AML, sanctions, and cyber risk. Their experience has led to quicker decision making
while increasing the effectiveness of the respective controls. PSPs have a less siloed structure in this
respect than banks. They can use data from each of these related risk disciplines to inform decision
making across processes. They should invest in building solutions that can bring together several
controls, ideally ensuring that journeys are “compliant by design.”

This may involve the use of data and controls for fraud detection and AML transaction monitoring to
identify trends that suggest correlations with money laundering and other prohibited activities. It
may also involve integrating the various anti–financial crime controls that apply to certain products
or services, in order to avoid customer friction and enhance overall effectiveness. This approach
could result in better outcomes, as these risks are inherently linked.

4. Data-driven, continuous risk management

The use of innovative and existing technologies and data will enable PSPs to roll out continuous and
targeted monitoring solutions, the design of which is informed by tailored data analysis rather than
expert judgment only. PSPs should aim to design intelligent automated processes, applying machine
learning and analytical approaches where they make the most sense. These tools can dramatically
improve effectiveness, reducing false-positive rates and reliance on labor-intensive processes.

Leading firms, for example, are adopting a live, always-on model to assess the risk of customers
throughout their life cycle. The analytics-driven approach draws on both dynamic data, such as
transaction flows, and static data, such as customer segments and geographical risk rankings, to
better risk-rate customers. Some firms are developing AI models that learn from the experience of
historical investigations to segment and prioritize alerts. Many are also deploying machine learning
to drive dynamic optimization of transaction-monitoring scenarios. Utilizing analytics is not only
about deploying machine learning and artificial intelligence; often, basic descriptive analyses using
customer and transactional data (to understand expected customer behavior, for example) can help
experts save time, make better decisions, and deploy more targeted controls overall.

5. Customer-centricity and transparency

Stronger anti–financial crime controls need not have a negative impact on customer experience.
Instead, the controls embedded in the customer journeys can enhance customer experience and
trust in the PSP. Critical journeys such as onboarding can be redesigned to improve the customer
experience. Features could include faster transaction speeds and enhanced ease of interactions via
digital channels, using external data and user-friendly interfaces. Even simple ideas can improve the
customer experience, such as making requirements clear, communicating about onboarding
progress, or informing them of outstanding documents, for example.

The approach closely ties together the business and risk objectives of the organization. Many
institutions have moved to a model where controls relating to financial crime are developed hand in
hand with new products or customer journeys and are duplicated across risk types. When designing
a new product focused on financing, for example, some institutions ensure that documents
requested from clients are shared in advance. These can be reused to assess or mitigate risks or use
cases and are differentiated based on their risk profile. Documents required for certain processes
(such as ownership structures or income and bank statements for underwriting) can also be used to
address financial-crime risks by providing a clear view of ownership structures and sources of funds.
Enabling a holistic view of controls and creating transparency for customers on the requirements
and their purpose are paramount to ensuring a smooth customer experience.

Considerations for a sustainable operating model

The control mechanisms for countering financial crime will likely have implications for the business
model, customers, and the internal operations of PSPs. These effects will be determined by how the
controls are set up. Policy decisions will balance the dual purpose of higher speed and lower risk—to
calibrate, for example, the level and timing of due diligence conducted on new merchants on an e-
commerce platform.

Similarly, operational choices will balance customer experience, cost, and responsiveness. An
investment in superior technology with a low false-positive rate, for example, should reduce the
number of human reviewers and the amount of time needed to review and adjudicate potentially
suspicious transactions. Companies will also need to evaluate financial-crime risks as part of key
business decision making about products and services and market entry. Compliance should likewise
be an integral part of the processes for designing and approving products. E-commerce platforms
face risks posed by potentially fraudulent merchants. In this area, PSPs and banks might want to
work with these platforms and the customers the platforms serve, to help them fight financial crime
in their own offerings. Such collaboration can involve increased data sharing among PSPs, banks, and
clients, or it could simply mean better client education about common risks and approaches to
mitigate them.
PSPs can expect increasing regulatory scrutiny as incidents of fraud and money laundering surface in
connection with their business models. They now have an opportunity to set regulatory agendas
before these are set for them, by engaging early on with regulators. Another opportune step would
be to engage with market participants to advance collective thinking on these topics. Such an
approach will build credibility with both regulators and investors and could give organizations a
market advantage.

As PSPs develop their approaches to counter financial crime, they can learn from banks’ past
reactive approaches. Banks invested millions in detection infrastructure, but many projects proved
to be only marginally effective. Banks implemented heavy transaction monitoring to detect money-
laundering activity, for example. Often, these produced outcomes with very high false-positive rates
—even as high as 99 percent. The experience of banks demonstrates that establishing a robust and
effective infrastructure for fighting financial crime is a complex undertaking (for more, see sidebar,
“A few lessons for banks”).

A few lessons for banks

The enhanced customer experience that payments service providers (PSPs) offer holds important
lessons for banks as well. Not only do PSPs onboard customers with a minimum of bother but they
also offer faster service, along with an extra level of security for purchases. Now that PSPs are
turning their attention to financial-crime risks, the solutions they develop based on superior
technical skills will no doubt be designed to protect that customer experience advantage.

Banks can use PSP-style solutions to improve their own customer experience and to counter
financial crime more effectively. They can consider, for example, deduplicating and streamlining
controls across different areas, leveraging data to improve analytical and digital approaches, and
keeping customer profiles up to date proactively through transparent customer journeys.

In launching their own efforts, PSPs can utilize lessons from this experience to avoid wasting
resources on ineffective approaches:

Embed controls within processes and decisions. Many PSPs start with a clean slate and possess
significant relevant advanced technological expertise. They are therefore in a good position to create
compliant-by-design processes with few data or system constraints.

Design controls in proportion to the business model. Often, the increased cost of and focus on
controls is a direct function of the business model selected by PSPs—for example, to serve high-risk
sectors such as crypto or digital-asset platforms. In such cases, investing in more effective and
efficient controls and frameworks is a prerequisite for serving higher-risk parts of the market.

Think ahead and focus on data. Define data requirements early and standardize and start capturing
these data. PSPs can make their products and services better and improve the customer experience
by drawing lessons from data gathered from control activities such as onboarding and ongoing due
diligence (for example, on geographies and sectors served by merchants) and incorporating these
into business decision making and product offerings.
Always build a business case. Infrastructure investments should be supported by a clear business
case to avoid expensive solutions that are only marginally effective.

Plan for complexity. Establishing a robust and effective infrastructure for managing financial-crime
risks is a complex undertaking that should be planned and tracked by dedicated experts.

Extract better value from existing controls. Many anti–financial crime controls can be better utilized.
For example, information on business activities and counterparties gathered as part of the
onboarding and ongoing due-diligence process can yield insights into company activities that can be
used to qualitatively assess their environmental, social, and governance (ESG) profiles and impact.
Adverse media screening used to determine the financial-crime risk can similarly be tuned to focus
on ESG-related topics.

Consider the unintended benefits of a strong financial-crime risk management program. Strong anti–
financial crime capabilities will help enhance the ESG profiles of PSPs.

The tremendous and continuing success of digital-payment channels and the business models of
payment service providers coincided with the rise of financial crime and is therefore drawing
regulatory attention. When PSPs build a response to counter financial crime, they can anticipate
rather than react to the changing regulatory environment, taking advantage of their advanced
technical knowledge and the prior experience of banks.

Source: McKinsey & Company 2022