GRC Tuesdays: Effective 3rd Party Monitoring is Like a 3-Stage Rocket – Powerful and Yet Manoeuvrable
It all started with Netflix
Believe it or not, I was invited to a meeting on fraud detection and deterrence in banking recently where we started by discussing an episode of Netflix’s Dirty Money docuseries: Cartel Bank.
The discussion wasn’t so much about the episode itself (a shame because I really thought it was well done) but rather on one of the aspects: the monitoring of 3rd parties.
This company was in the banking industry and, of course, had an AML (Anti-Money Laundering) practice but was inquiring about how to make it more effective.
One of the issues they raised was that “risky” business partners would usually not declare themselves as such and would instead make a few changes in their identification. By flying under the radar sort of say, they could use the services of the bank without raising alarms and this would put the financial institution at reputational if not regulatory risk.
They were therefore looking for ideas and suggestions on how to address this topic and quickly identify these parties even if disguised.
As I replied, I personally saw 3rd party monitoring as a 3-stage rocket. A complex process that, if supported by the right technology, can be powerful yet manoeuvrable to flag not only the obvious outliers that should be denied, but also raises alerts on these individuals or organizations that could potentially be an issue due to their proximity to a denied party.
1st stage: the booster
In a rocket, the first stage is the core module and known as the booster and it has a sole purpose: provide the thrust to extract the rocket from Earth’s gravitation.
Drawing the parallel for the bank, this would be scanning all its business partners (customers, suppliers, etc.) against defined lists of sanctioned or exposed parties so that it could decide whether it can indeed be in business with all of them or if some need to be manually reviewed and potentially avoided. Lifting all the weight in a single exercise, this is the safety net to ensure regulatory compliance.
To address specifically the issue of the disguised party, this mass detection strategy should be carried with relevant parameters applied such as initials (i.e.: J. for James), term mapping (i.e.: St. for Street), aliases, percentage of correspondence between party in our system and information in the lists (only a match on the name, only a match on part of the address, etc.) but also with a fuzzy search approach so that typos, name variations, accents, umlauts, and so on are taken into account in the exactness score and provide the investigator a complete context.
2nd stage: the restartable engine
Much like in rockets where, once the 1st stage has burned all its propellant and that the rocket is well on its way, it detaches and returns to Earth so that the second stage can continue without all the dead weight of the empty container, the same applies to 3rd party monitoring.
In this second phase, the company is already working with a number of business partners, but watch lists are regularly updated with new information: new profiles added, updated aliases used by an individual, new business relationships for an organization, etc. So the organization needs to ensure that it continues on its right – compliant – trajectory.
The company would therefore have the choice of relaunching a new rocket and starting all over again at stage 1 – which is of course feasible but would require some processing time especially if the number of parties monitored is very large, or igniting the second stage of its rocket and only burning the additional fuel sort of say to keep on track. Hence only reviewing delta changes in watch lists. This makes the process much lighter and faster but still compliant.
To screen the entities in address screening lists that were changed since their initial import, companies would perform what is known as a delta screening by defining a delta import date – the period when the delta screening list was imported into the system, and a search period – the dates when the business partners the company will be focusing on were created.
But there’s a catch that shouldn’t be overlooked or it might create a lot of work: the weak aliases!
Data providers usually deliver complete address screening lists when they are initially contracted. Mass detection, as explained above, is then used to perform the initial address screening on these complete lists. Afterwards, the data providers usually only deliver changes to those lists and some of these changes might be minor but lead to a lot of manual review. Especially in the case of weak aliases. Let’s assume that authorities come to know that Johnathan Doe Smith is also known as John. They will simply add this new alias “John” to this individual.
In the next delta run, this single change might match hundreds of existing business partners and create numerous alerts. The compliance team might then be sitting weeks resolving false positives after each such delta run.
As a result, I strongly suggest applying a weak alias protection approach in delta screening. A weak alias is a name or address in screening lists which can potentially create too many false positives. A weak alias protection approach will help the company avoid a large number of false positives produced by weak aliases in the delta screening. John, Joe, etc. will be qualified as low contributors to the detection score and therefore won’t automatically trigger a new investigation by themselves.
The 3rd stage: the payload
Once the first 2 stages have performed their duties, the payload – the satellite or spaceship, will be delivering its mission. But even then, there are some smaller rockets to manoeuvre the unit. Here, the company needs to be very agile and as close to real-time as possible to stay on course but not at the expense of its objective or it wouldn’t be sustainable.
This is where the online screening takes place. In this phase, the company will perform a real time check during an individual business process.
For example, a claims examiner wants to check a new claim for signs of fraud. The examiner initiates the claims process in its source system and, behind the scenes, an online screening is triggered and compares the stakeholders on the claim to individuals in watch lists. The claims examiner receives automatically a notification whether an alert was raised for the detection objects or not – and any payment can even be automatically blocked in a proactive manner. This means that screening becomes a full supporting part of the business process flow, without disrupting it.
Where this 3-stage approach is different to a SpaceX Falcon 9 rocket though, is that the containers in the 1st and 2nd stages don’t detach from the rocket and fuel doesn’t exhaust. They are still ready to be reignited whenever needed and never run out of propellant.
What about you, how does your organization manage business partner screening? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard