FATF Recommendation 16 highlights the end-to-end data quality challenge of financial crime compliance
This article originally appeared in Sibos Issues magazine. Make plans today to join senior compliance, operations and business professionals at this year’s Sibos in Geneva. Visit the Sibos website to register or learn more.
Many of the new requirements imposed by policy-makers since the financial crisis have forced financial institutions to obtain, store and report highly detailed data about risks relating to their businesses and their clients. Collecting and collating such disparate and granular information, often originating in multiple formats, is not a straightforward feat. Nothing illustrates this challenge better than Financial Action Task Force (FATF) Recommendation 16 introduced in 2012.
FATF 16 guidelines require national regulators to ensure financial institutions supply accurate information about the originators and beneficiaries of any wire transfers throughout the payment chain. The onus is on financial institutions to monitor these transfers and remedy accordingly where there is insufficient information about payment beneficiaries or originators.
The ultimate objective of FATF Recommendation 16 is the prevention of terrorism and other crimes and the detection and investigation of criminal activity when it occurs. The presence of originator and beneficiary information in wire transfer messages would enable authorities to obtain such details from banks in the context of their investigations.
“As such, it is the responsibility of banks to capture all of the basic information such as account number, name, address, and country information and store it in a message format and make it available throughout the payment chain,” says Simon Muir, Product Manager, Compliance at SWIFT.
It is the responsibility of banks to capture all of the basic information, store it in a message format and make it available throughout the payment chain.
Regulators have made it abundantly clear that they will take a tough approach against any financial institutions which have carried out wire transfers involving bad actors or sanctioned entities or individuals. “These are important policy goals and for this reason there is scope for significant penalties if financial institutions fail to comply, which might include fines but also restrictions on business, remediation efforts and third-party oversight or audit of the financial institution,” explains David Howes, deputy head, group financial crime compliance at Standard Chartered.
Identifying a sanctioned entity is not always straightforward, not least for institutions in the middle of a complex payment chain. Some originators and beneficiaries may have complex corporate structures or aliases, for example. Having mechanisms in place to detect irregular activity is crucial, and collecting information on beneficiaries and originators of wire transfers is a core component, says Muir, a former compliance officer who is now leading SWIFT’s development and industry engagement efforts in support of the cooperative’s new Payments Data Quality service.
A number of challenges exist, such as the implementation of FATF Recommendation 16 across jurisdictions with disparate legal and regulatory regimes. Many regulators do not feel it is within their remit to impose detailed operational obligations on financial institutions to adhere with the FATF 16 provisions. The lack of harmonisation across countries around implementing these rules can result in major divergences in supervisory oversight.
“Firms should look at the Payment Market Practice Group (PMPG) guidelines for FATF Recommendation 16 published in September 2015. If a financial institution is following these guidelines, it should face few challenges in its role as a payment originator,” says Howes.
The PMPG guidelines provide advice on how to format information within messages when initiating a payment, but further big challenges arise in validating that the correct information is included in messages received from counterparts.
Operational realities also pose problems to initiators and recipients of payment messages. Data collection at many financial institutions continues to rely on manual and legacy processes, leading to process inefficiencies and/or errors. “Financial institutions are currently collecting data from a wide range of sources and jurisdictions and much of this debtor and creditor information on wire transfers will come in different formats. Financial institutions need to upgrade their systems accordingly to process this information accurately,” comments Laurent Lafeuillade, Deputy Head of the Interbank Relationships department at Societe Generale.
The sheer weight of data must also be taken into account. “The volume of data that banks must deal with is significant. It is often derived from disparate payment systems in different locations and geographies and compiled in different formats. It can be very complicated,” acknowledges Muir.
Issues arising from data complexity and volume are compounded by the fact that financial payment message data is frequently incomplete, inaccurate or unstructured. Although well-known, the barriers to eradicating underlying ingrained local practices can prove intractable, leading some banks to consider exiting relationships in jurisdictions where there are insufficient data controls and quality.
A basic understanding of the arcane world of cross-border payment messages further illustrates the challenges posed by FATF Recommendation 16. The MT 103 is the SWIFT message used in cross-border payments where the payment originator, or beneficiary, or both, are non-financial institutions; for example, when a woman in country A uses her bank to wire money to a person in country B. Banks can also instruct such transactions using MT 202COV messages, which were introduced to enable straight-through processing, increase transparency, and support sanctions and anti-money laundering compliance by permitting end-to-end inclusion of the client and financial institution information from the original MT 103 message. As such, MT 202COV payments allow financial institutions, including those in the middle of the payments chain, to monitor transactions for compliance with FATF Recommendation 16.
MT 103 and MT 202COV messages contain mandatory fields for originator and beneficiary information, including account number, name, and address. Additional information such as customer identification number, national identity number, date and place of birth can also be added. While market practice exists for populating such information in MT 103 and MT 202COV messages, there is no actual enforcement of this guidance. Banks can use structured and unstructured fields, depending on message type used. Data is sometimes truncated due to the character limitations in SWIFT fields, Howes says.
Efforts are being made to migrate users to structured message field options and to educate them in the formats required to enable full automation by their counterparts; structured field usage for originator and beneficiary information will become mandatory in 2020. Greater use of structured data can allow for easier automation and enhanced post-transaction compliance monitoring. “If transactional messages are sent in the correct structured format, after usual embargo/sanction screening, data quality is improved and it allows firms to monitor debtors and creditors in line with their compliance requirements,” says Lafeuillade.
But structured messaging data is not fail-safe as far as compliance with FATF Recommendation 16 is concerned. The accuracy of the data supplied on originators is ultimately the responsibility of the originator’s bank and not the beneficiary’s bank, and the originator bank is the only institution with the ability to check the accuracy of that data. The same is true at the other end of the payment chain; the beneficiary’s bank is the only institution with the ability to check that the beneficiary’s data is correct. However, all banks in the payment chain may be held liable for using erroneous data.
Efforts to harmonise standards on end-client information are hamstrung by the complexity and diversity of existing domestic payment systems and formats. Implementing the necessary changes would be time-consuming and costly. As such, banks’ current policy is to review the relevant data in line with their own existing risk and compliance policies as opposed to an industry-wide standard.
Upping the stakes
To support industry compliance, SWIFT has been developing Payments Data Quality, an advanced reporting and data analytics service that seeks to assist banks in checking that payment messages have the relevant originator and beneficiary information. The offering provides banks with a global view of the quality of information they send and messages they receive from counterparties to help address, and if necessary investigate, shortcomings or inconsistencies in data quality. Because the product offering is web-hosted centrally, there is no need to install systems and integrate them locally, Muir says.
Meanwhile, regulatory pressure is mounting. In the European Union, for instance, the Funds Transfer Regulation adopted in 2015 will mandate inclusion of originator and beneficiary information in payments messages by 2017. Singapore recently implemented FATF Recommendation 16 within MAS Notice 626, and other jurisdictions are expected to follow. As regulators look to ramp up penalties for failure to demonstrate best efforts to comply with FATF 16 Recommendations, the ability to verify information about originators and beneficiaries of wire transfers has never been more critical.