11:47 AM
Connect Directly

Regulatory Screening: False Positives and Their Customer Experience Impact

False positives in AML and sanctions screening cause headaches for bank customers, and banks can take simple steps to fix it.

Often when banks talk about the impact of false positives in their AML and sanctions screening programs, they talk about the bottom line. That bottom line is this: banks lose money with the manual work involved in dealing with false positives, but if they process transactions that they shouldn’t have, then they have to pay much more. Lost in this focus on the bottom line is how these false positives impact customers, their banking experiences and their lives.

A couple of months ago Stephen Law, a British university professor who lectures internationally on philosophy, illustrated the negative impact of his banks’ sanctions screening miscues on his bottom line in an open letter to the U.S. Office of Foreign Assets Control. Law had been unable to receive payments from the U.S., or even receive items mailed to him from the U.S., because there is a major Burmese drug dealer who goes by the alias of “Steven Law” on the U.S. sanctions list. Professor Law said that his bank told him that they couldn’t explain why his payments were blocked, and at one point had to switch accounts because so many were being blocked.

[For More on Compliance and Customer Experience: Why Compliance and Customer Experience Go Hand-in-Hand]

This is obviously no way to treat customers, but banks are willing to lose a customer if it means avoiding big regulatory fine, says Micah Willibrand, global director risk at Accuity, a provider of compliance and screening solutions. “Everything now is a risk-based decision… if you’re looking at customers who are only opening a checking or savings account, banks don’t want those customers because they aren’t profitable. They don’t care about their customer experience because they’re not worth the risk,” he explains. “With customers who make them money, you don’t see this. You wouldn’t see this with a customer who is a millionaire. The relationship manager wouldn’t allow it.”

Most of the hits in sanction screening are false positives though, says Willibrand, and banks rarely make the effort to match up different data points to rule out many of their false positives. “There usually aren’t rules around using date of birth and geographic data. They’re just matching names, and that can create big problems for common names like ‘Muhammad,’” he observes.

Using geographic data would have solved Professor Law’s problems, as the Burmese Steven Law’s known activities and addresses are all in South Asia.

Banks should also go the extra mile to utilize other data sources like public records and also leverage the work their doing in cleaning and managing their own data, Willibrand advises. Many banks are working on breaking their data silos and matching up data across the organization. When someone gets hit with a false positive, the bank needs to update their data not to suppress their next transaction, Willibrand notes.

The false positives problem is probably at its apex right now, Willibrand says. Banks have collected huge amounts of data on their customers to start building their digital strategies, and the more data they have, the more false positives they will get when screening for sanctioned entities or money laundering. “But those digital strategies that are being implemented will eventually improve false positive ratios for banks as they learn to better manage their data,” Willibrand comments. The sooner banks can get there, the better for any Steven or Stephen Law’s in the world.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/2/2014 | 2:54:29 PM
re: Regulatory Screening: False Positives and Their Customer Experience Impact
Jonathan, you are very accurate in your assessment. We are hearing
about this problem on a regular basis. The
leading global banks are challenged with high volumes of exceptions that impact
payment processing and on-boarding times but 95%+ of these exceptions are false
positives. The banks though are constantly concerned about not reviewing each
exception given the regulatory implications(fines) and are therefore realize that
implementing technology that can intelligently process, auto-resolve, route
high value payments etc, with a full GauditG history, is the only options. ItGs imperative that these systems
are agile enough to deal with changes in rules or high visibility issues such
as Russian sanctions and are easily able to be modified to meet risk
requirements. I think we will see more and more banks implementing rules-driven
case management, to not only prove auditability but to streamline alert
handling and ultimately reduce false positives and reduce the impact on the
User Rank: Author
5/1/2014 | 10:31:02 PM
re: Regulatory Screening: False Positives and Their Customer Experience Impact
If the bank had matched up the different geographic data points for Stephen Law with Burma vs. Britain, the problem could have been rectified. I would be furious if I was a customer. What if the professor ran out of funds since his payments were blocked?
Abdul Jaludi
Abdul Jaludi,
User Rank: Apprentice
5/1/2014 | 5:45:03 PM
re: Regulatory Screening: False Positives and Their Customer Experience Impact
While things like this will happen from time to time, banks have the capability to correct them, especially after a customer complains, but lack the processes to do so. The question is are they failing to do so because they lack the expertise, budgetary constraints, or is it not high enough on their list of things to fix.

Or could it be simply the people who can make the decision to fix the problem don't know it exists?
User Rank: Author
5/1/2014 | 2:36:43 AM
re: Regulatory Screening: False Positives and Their Customer Experience Impact
Law said in his letter that his bank refused to tell him why they were blocking his payments. THAT would make for an angry customer.
Nathan Golia
Nathan Golia,
User Rank: Author
4/30/2014 | 10:06:44 PM
re: Regulatory Screening: False Positives and Their Customer Experience Impact
It's hard to believe these kinds of snafus can even happen in 2014. Why would this impact the customer's view of the bank, though? Shouldn't their ardor be aimed at the government that forces a bank to stop services without giving them the cleanest data possible? Very frustrating.
User Rank: Author
4/30/2014 | 7:56:27 PM
re: Regulatory Screening: False Positives and Their Customer Experience Impact
There really should be no excuse for not "going the extra mile" in these kinds of reviews. If banks haven't invested in the capabilities to access and organize external data -- if they are unable to determine if there is more than one Mr. Law -- then they have bigger problems than incurring a fine or losing a customer.There are tons of soluctions out there, for FIs of all sizes, to help make smart decisions based on all kinds of data. I have no problem with a bank determining that they do not want to underwrite a risky customer, but the decision should be based on actual information and not because they can't tell the difference from other people.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.