One of my favorite narratives in the Ethereum space today is that of open or decentralized finance. These things are still very new and I guess everyone sees them slightly differently, but for me there are 3 big promises open finance holds:
- Remove intermediates > reduce cost > new financial products now possible that weren’t before (eg targeted at low income segments of the population)
- Build financial products in an open-sourced way > more experimentation and competition > better suite of products for all of us
- Single immutable and transparent ledger used by the entire industry > reduce opportunity for fraud and silly mistakes
The question then is — will it happen?
In this essay I argue it will, and for a reason far more mundane or boring than you might first think.
Ready to hear it?
Anti-money laundering or “AML” compliance.
I know you can’t wait to hear more — so let’s dig in.
At the highest level AML works something like this:
Financial Action Task Force (FATF) ⇒ national legislation ⇒ regulation ⇒ company policy ⇒ product ⇒ reporting to local financial intelligence unit (FIU)
FATF is the holy oracle of AML. It’s an inter-governmental body founded in 1989 to develop policies against money laundering. FATF has its own bible, called the 40 recommendations of AML, where it describes in the typical impossible-to-comprehend legal language what a country must do to prevent money laundering from happening on its soil.
Next come the financial institutions (FIs). Internal lawyers interpret the regulation as they see fit (following something called a “risk based approach” where companies try to identify what risks they do and don’t face) and produce an internal policy document. That then gets picked up by product teams and transcribed into actual code.
The ultimate goal is to prevent, detect, and report any incidents of money laundering.
Prevention (as much as possible) is accomplished through identification of customers during onboarding. Basic-most form of this is proof of ID + address, but if the customer seems shady, a company might ask for additional documents, like proof of funds. This is also what the industry calls Know Your Customer or “KYC”.
Detection happens through monitoring. Typically it’s a mix of rules and supervised and unsupervised ML to detect bad actors. Sometimes you’re looking for a specific pattern (eg structuring) — but more often you’re just looking for anomalies in your customers’ behaviors. Once an account gets flagged — it goes to a compliance analyst, who investigates the case and passes judgement on it.
Reporting is the final stage. When an internal investigation is finished and if money laundering is suspected, a suspicious activity report or “SAR” is filed with the local FIU, such as the NCA in the UK or FinCEN in the US.
End of today’s class.
So what’s wrong
Now that you’re AMLiterate, let’s dig into problems. There are 2.
(1) AML is crazy expensive. The industry spends around $100bn (US + Europe +Asia) on AML compliance per year, with onboarding costs per customer hanging around $300–450. Think about it — you haven’t even started providing your service and you’re already in the red for $450 for every new customer that you win (as if your CAC just grew by that fixed amount). And that, by the way, is if you do everything right and don’t get fined later for billions of $$.
(2) despite all the billions spent on it — AML doesn’t really work. The figure that blows my mind every time I think about it is 1%. That’s the estimated amount of all money laundered that we actually detect and catch as an industry (a high estimate, mind you). I literally can’t think of a job where the ratio between $$ spent and desired effect achieved is so poor (if you can — drop a comment below, I’m curious).
So why might this be the case?
In the past I ran an AML product team for a fintech in London called GoCardless, and I had a lot of time to think about the question. My conclusion goes something like this:
Remember we talked about onboarding and monitoring?
The way I see it, onboarding is the first line of defense and is really there to deter lazy criminals who can’t be bothered to follow the simple 9 step guide to faking your ID — or at least watching the YouTube Photoshop video. From my experience at GC — this group includes small check fraudsters, not sophisticated money launderers.
Monitoring, on the other hand, is the real deal. If done correctly any suspicious activity should be flagged and should lead to an in-depth investigation of the merchant’s account. Again from my experience at GC — these deep-dives typically uncover the truth. In fact, I’m struggling to think of a single case where we investigated the merchant and decided they’re fine — and turned out to be wrong.
So if monitoring is the crux of it — and we’re only catching 1% of all money laundered — there’s probably something wrong with it?
Let’s think about what we do in monitoring:
- We establish someone’s identity
- We look at their transaction history
- We put the two together and ask the question of: “given who they say they are — does what they’re doing make sense?” Eg if someone signed up as a small landlord in London — is it reasonable that they’re collecting $50k in monthly payments from customers in the Middle East?
Sounds simple enough. And the best thing — we already have all the data to answer the question. At the end of the day, we collected (1) during KYC and (2) is just a matter of
SELECT * FROM transaction_history WHERE merchant_id = 12345.
Wrong. By putting my outstanding creative skills to work, let me illustrate my point:
Do you see the problem?
Because financial services are so plentiful and money launderers are not exactly stupid — nobody will launder all of their funds through one provider. A more likely scenario is that they will break up their stolen fortune into many small packages and route them through as many different channels of the financial web as possible.
Which for us, good guys trying to detect suspicious activity, basically means we’re left with no (2) from the above equation. We really have no clue where the funds came from and where they’re ending up.
No wonder the 1% success rate.
A better way
So how do we fix this?
Well, captain obvious might suggest we try collaborating with each other by sharing data — in the hope that one day we are able to uncover the full web of transactions for any given merchant. If we succeed, it’s a total win-win. We as FIs all become smarter about who we serve and don’t serve, keeping us well out of trouble — and the society benefits from an effective AML defense system, hopefully more effective than the current 1%.
When I first had this idea I was intrigued enough to go and speak to some other Compliance Heads around London, to see what they’d make of the idea. Unsurprisingly, most of them have thought about collaborating before. And yet somehow none of them actually did.
It seemed strange and I kept going at it, until it started to dawn on me why:
(1) Data mapping between FIs is very, very hard. Probably not a surprise to anyone — but every FI stores their data differently (many don’t have it one place and some don’t even seem to know where parts of it are). Connecting 2 FIs is hard enough and would require custom integration work — connecting n FIs starts to sound like an impossible task.
(2) Trust levels between FIs are very, very low = ie nobody wants to share data. This one felt a little paradoxical at first (everyone shares the same goal of catching criminals, why not?) — but as I spoke to more people it started to make more sense. Many FIs see transaction data as their ultimate competitive edge and others simply worry about privacy and pissing off the regulator. So the idea of giving up data is very painful.
(3) Who’s going to run and control the network? There was a real sense of concern from companies I spoke to about who’d be in charge, and why trust them. That’s only fair — firstly they need to know who they’re entrusting their data to and secondly the last thing they want is to help build something that will then lock them in and extract rent.
So that’s why.
See — I thought — if only there was a way to get all the FIs to adopt a shared set of standards for their data, and to somehow pull all that data together without revealing customers’ identities or putting it all in one party’s hands…
…wait a second…
…perhaps we could use a blockchain?
Besides forever replacing VCs, overthrowing governments and becoming the world’s sole future currency, is there a world where blockchain has another (perhaps a little more mundane) application of helping fight money laundering?
Well let’s take a look:
- it’s a single shared ledger that everyone connects and writes to, meaning interoperability is baked into the system and data mapping is not a thing,
- it’s pseudo-anonymous, meaning you can see the full transaction web without having to share sensitive data like names and dates of births to resolve entities, and
- it’s secured through trustless consensus, meaning you’re not relying on any one party to run the show and set the rules.
Jeez — it sure sounds like it might work.
Theory vs practice
This could very well happen again in this scenario — but I’m going to argue it won’t. In fact, I’m going to argue that once the industry realizes the economic value of moving to decentralized rails, traditional finance will quickly deflate to a peculiar fringe industry, if not disappear altogether.
Let’s go back to the total industry spend on AML that I mentioned earlier — $100bn / year. Where is all that money going?
From my experience at GC, and from speaking to others in the industry, today it’s probably split equally between onboarding and monitoring. But that’s changing rapidly — as more data on individuals and companies comes online, onboarding becomes increasingly automated. At GC, for example, we were able to do away with some 80% of manual identity checks by writing some smart code.
Monitoring, on the other hand, is much harder to automate.
Why is that? For the same reason that we discussed before — because it doesn’t work very well. Monitoring systems only see a tiny fraction of all of the merchant’s transactions, and as a result produce a sea of false positive alerts. What do you think FIs do with those alerts (hint below)?
That’s right — they throw more bodies at them. And human bodies are what (another hint below)?
Expensive. Anecdotally, I’ve spoken to someone at a top 5 US bank and she told me they spend $3bn / year on alert-resolving compliance analysts ALONE. That’s right — just the staffing costs and just for false alert resolution.
Back to blockchain then, if every FI’s monitoring system saw the entire web of transactions instead of a tiny slither, I think it’s reasonable to expect that we’d see a meaningful uplift in accuracy. It doesn’t matter what you’re running — hardcoded rules or supervised or unsupervised ML, the below always holds:
more data ⇒ smarter decisions ⇒ fewer and higher quality alerts ⇒ smaller and CHEAPER teams
Exciting. But there’s more.
Inefficient monitoring is expensive and is definitely a big contributor to the mind-boggling $100bn/year AML spend. But there’s another, much more profound reason for why policing finance for money laundering is costing us so much money:
Duplication of effort.
Everyone is doing the same work over and again: the same fraudster or launderer might get flagged at 3 different FIs — they will all conduct individual investigations, which are most likely 90% duplicates — and each submit a separate report to the FIU. That’s 180% of effort wasted — both by the FIs and the FIU.
See, in traditional financial, where everyone operates in a walled garden, there’s really no other choice. You have to police your backyard and report on any crimes that happen there — because, well, if not you, then who? But in decentralized finance, where there are no walls — only a single web of transactions visible to everyone… this model makes no sense.
Instead, what I think we’ll see, is the emergence of specialized entities who police the entire network, and offer “AML as a service” to its participants. Think about how when you purchase a property — you hire a security guard to look after it. In the future, if you run a DeBank — you hire an AMLaaS company to keep you safe just the same. Or, to push it to its logical extreme, AML might one day just become a public utility — like gas or water or electricity.
To understand just how transformative this would be, let’s throw some dummy numbers around. If smarter algorithms might drive AML compliance costs down by call it 20–30–50% — then deduplication of effort, given how many participants there are in the market, will probably put us well <10%. In absolute terms, that’s $90bn in annual cost savings.
Just let that sink in. And what do you think the industry will do once it realizes this?
AML is a tough business. You’re up against some very smart people, sitting on a lot of cash, and willing to pay some hefty premiums to get that cash cleaned.
The approach to date has been to get FIs to each monitor their backyard and report on any wrongdoings. As we’ve seen, it’s crazy expensive and not very effective — but with today’s siloed infrastructure it’s the best we can do.
Decentralization has the power to change all that. By having a single web of transactions visible to everyone we can:
- run much smarter detection algorithms, and
- deduplicate the monitoring efforts, outsourcing them to few specialized entities (public or private)
The result, hopefully, is a much more efficient and effective AML protection layer that benefits everyone — from FIs to the regulator, to the everyday man.
It’s an exciting future — and I can’t wait to see it unfold.