To blockchain: $700m CBA fine is just a normal part of AML/KYC today
The largest civil penalty in Australian corporate history is just another day at the office.
On 4 June, AUSTRAC (Australian Transaction Reports and Analysis Centre) and Commonwealth Bank (CBA) agreed on the largest civil penalty in Australian corporate history, landing the bank with a $700 million penalty, plus $2.5 million of spare change to cover AUSTRAC legal expenses.
The previous record was held by Tabcorp, which paid $45 million for breaches of AML/KYC (anti money-laundering/know your customer) laws.
In taking the agreement, CBA accepted the following:
- It failed to punctually report 53,506 transactions of $10,000 or more through its "intelligence deposit machines." (IDMs).
- It failed to appropriately carry out risk assessments of its IDMs, and mitigate IDM money laundering and terrorism financing risks.
- It did not adequately monitor transactions on 778,370 accounts over a three-year period.
- It did not report suspicious matters on time, or at all, involving transactions in the tens of millions of dollars.
- It did not take action even after becoming aware of suspected money laundering or structuring by CBA account-holders.
The cost of compliance
CBA investors rejoiced as the penalty landed, and CBA share prices quickly bounced up following the news, adding $1.6 billion to CBA's market cap. The settlement removed one source of uncertainty from the market, plus CBA also managed to haggle the penalty to a quite reasonable price.
Either way, it had all been budgeted for and the fine was only 0.6% of CBA's market cap.
"In that context, the fine is well and truly in the price," said Regal Funds Management portfolio manager Omkar Joshi to the Australian Financial Review.
CBA chief executive Matt Comyn also pointed out that the bank had so far spent around $400 million trying to fix the problems with technology and people which allowed it to happen.
AML/KYC compliance is one of the few bank costs which keeps growing even as automation shrinks expenses elsewhere, largely because of the inevitability of fines and the potential for minor problems to cause expensive ripples. For example, it was just a single IDM coding error which let so many transactions go unreported for so long.
The current state of bank KYC/AML means catastrophic systemic failure and record-shattering civil penalties are just another day at the office – and a pretty good day too.
On the blockchain
For many reasons, blockchain technology may be the only realistic way of actually changing the AML/KYC status quo. In the smallest of nutshells, distributed ledger technology is the most promising option because:
- It can be almost entirely automated
- It can largely eliminate single points of failure
- It can be oriented around identity rather than transactions without causing new privacy-related problems
However, implementation is easier said than done.
Making it happen
"Banks will, theoretically, benefit in more ways than none when implementing digital identity solutions," said Fernando Albarrán, executive chairman of BidiPass, and a former cybersecurity expert at Santander and BBVA bank. "The current validation system is based upon a centralized trust where a singular entity verifies one's legitimacy. This goes for payments, wire transfers, and any monetary transaction; the level of protection digital identities can be provided exceeds current protocols. The implementation is the core problem."
Decentralisation is a drastic shift, so established institutions can't simply switch on a blockchain. It also doesn't help that the current state of the blockchain art is scattered and relatively little-used in the real world. This makes it extremely difficult to find a fresh protocol that can work at every level. Plus, when you're introducing a drastically new protocol, it's vital to make sure that every single step is done right, and that all preceding and subsequent steps can continue to work.
"The level of usage within current day is the problem, and you’re seeing the same issue with usable blockchains such as Ethereum," they said. "Of course, if it were a switch to flip, one would obviously choose the more efficient option, but it's not that simple. You have millions of users, and implementing a fresh protocol isn’t a one stop solution. It involves modifying each preceding change. Decentralisation is a scary thing at first glance, so banks must approach it cautiously, which is what they're doing. Small steps is key for not only decentralisation, but optimal efficiency when speaking of transactional discretion."
Depending on how ambitious a bank is, they might approach the challenge of blockchain KYC/AML implementation in different ways. Many are waiting for established protocols to ease the way.
But others, potentially driven by the enormous costs of simply maintaining routine AML/KYC measures and paying the fines when they inevitably fail, are biting the bullet and trying to find ways of establishing their own protocols.
It's safe to assume that most solutions will be largely focused on identity, however.
"Digital identity solutions work differently per system. Regarding the systems that I have worked with, they are encrypted via bi-dimensions. Systems decentrally confirm the validity of a user, transaction, or asset. Since the operations are connected directly it enables you to utilize mobile devices to serve as an authenticator – that is the future of not only digital identities but nearly all transaction systems."
Waiting and seeing
The institutions that choose to wait for a more established protocol, rather than trying to get ahead of the game by blazing their own trail, might not have to wait too long though. Several startups are racing to create a globally effective blockchain KYC/AML solution, and can get a leg up on real-world trialling – the key ingredient – through force-multiplying partnerships.
An example of this is the recent partnership between the Trunomi and Shyft platforms to work on different facets of blockchain ID, with help from the Bermudan government which is aiming to redesign its financial sector around blockchain technology.
Essentially, Shyft brings the core blockchain technology and protocol to the table; Trunomi brings its expertise in consumer-consent frameworks to help shape it into a viable form; and Bermuda provides the real world.
These kinds of arrangements may stand to put a functional, effective and real-world-tested blockchain AML/KYC solution on the market extremely quickly. From there, adoption might be substantially spurred by Bermuda's hub-like role in global financial services, spreading like a friendly virus to the financial institutions that come in contact with it.
"The Government of Bermuda has decided to lead the way and build interoperability into the government legislation, in essence, approach regulatory frameworks with exportability in mind. This is our Bermuda jurisdiction as a service, the high level of exportability 'stack' that includes technology, regulation, process and protocols," said the premier of Bermuda, David Burt in a statement on the trilateral-ish partnership.
"Trunomi's immutable consent framework and data rights management technology is an integral part of our global ID and KYC vision by enabling privacy by design, and proving accountability in data use and full transparency and interoperability across multiple markets and systems," said Shyft CEO Bruce Silcoff. "Global data privacy laws now firmly put the customer in control of the relationship and ultimately their own data and identity, which can only be shared with the consent of the consumer, for a specific purpose and they need to be able to easily revoke this consent. Trunomi is capturing, tracking, proving and sharing these data permissions to all parties and providing real time tools to adjust these rights."
The end result, and potential current state of the art in terms of real-world use and broad adoption potential, is an e-ID system that will initially be rolled out in Bermuda, then expanded to a growing range of participating nation states and large companies that sign up to join the network.
If it means accessing a working, adoptable blockchain ID protocol, and finally putting a stopper on the sheer wastefulness of traditional transaction-focused AML/KYC systems, banks might be eager to sign up.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and XRB.