Bank compliance, technology and back-office executives will soon be faced with a lot more headaches in preventing and reporting possible money laundering and other illegal activities conducted through payments transmitted by European wire transfers.
Effective June 2017, financial firms — specifically banks — will have to monitor their wire payment messages more closely and file suspicious activity reports with local regulators if any information seems incomplete or amiss. Given the vast number of wire transfers banks handle each day, they must combine stronger oversight procedures with the right monitoring technology.
Europe’s new wire transfer rules — the Funds Transfer Regulation (FTR) — require that any transfer of funds made by financial institutions between European countries or between a European country and any other country, including the US, include complete information about who is sending the money and for whose benefit. Simply ensuring that the correct amount of money is sent and received by the right party won’t be enough.
Regulators have good reason to want all the extra scrutiny of wired payments. Hiding the true identity of senders or receivers of payments can be a means of money-laundering, avoiding sanctions or funding terrorist activities. Banks are seen as being in the front line to prevent funds from falling into the wrong hands.
The FTR’s implementation date coincides with that of the fourth European Anti-Money Laundering Directive. Its rules are based on the 16th of 40 recommendations made by the Financial Action Task Force (FATF) in 2012. Established in 1989, the inter-governmental FATF establishes policies to prevent money laundering and terrorist financing.
To comply with the FTR, European banks making cross-border and domestic payments of over E1,000 will have to verify they have the right data about the originators of the payments and the payees or beneficiaries. The originator or payer represents the person or institution holding the account from which the payment will be made. The banks receiving the payment must also verify that the information on the payee or beneficiary is correct before crediting its account with the funds. The verification rules for domestic payments are a bit more lenient.
When both banks involved in a wire transfer are located in the European Union, the bank representing the payer will only have to confirm the information if it has received funds to be transferred in cash or anonymously. That bank will also have to confirm the information if it has reasonable grounds to suspect money laundering activities are taking place.
Just what is the right information? The data on the originator or payer of a wire transfer payment will have to include the name of the payer, the payer’s account number, and address or other identifying information such as its national identity number, customer ID number, date of birth or place of birth. The payee information must include the name of the intended recipient of the funds and its bank account number.
Verifying the accuracy of data in the wire transfer message is just the tip of the iceberg in what bank cash payment and wire transfer departments must do. The European rules will require payee banks receiving too many messages that are either incorrect or incomplete to notify their local regulatory agency and identify originating bank. “While filing a suspicious activity report is nothing new for a bank, what could become problematic is deciding when a report must be filed,” explains Jacqui Hatfield, a partner with the law firm of Reed Smith in London. “The rules stipulate that it should be when too many such messages are received from a single bank, but does not clearly define the number.”
Bank AML compliance departments will have to devise their own policies for deciding when to file the suspicious activity reports. They will also be required to play bad cop by issuing warnings, setting deadlines and eventually rejecting wire transfers from other banks that are consistently incomplete or incorrect. They could even opt to end relationships altogether.
Given the need to ensure data accuracy and report suspicious conduct, the wire transfer and cash payments departments of banks will be spending a lot more time checking out their transmissions through the network operated by the La Hulpe, Belgium-based SWIFT, a popular payments transfer network. SWIFT could not estimate what percentage of wire transfers transmitted through its network fall short of the new European requirements. However, wire transfer operations managers at several US banks estimate it could be as high as 25 percent with most of the deficiencies taking place when identifying the payee or beneficiary of the funds.
The bar for being fined by a regulator is very low. Just one illegal action is all it takes. That is because if information in the SWIFT message is missing or unclear, the transaction might indirectly contribute to violation of a government sanction. Although SWIFT is by no means fostering illegal activity, the current structure of its MT 102, MT 103 and MT202COV messages used for making wire transfers has unintentionally made it easier for criminals to get away with bad conduct.
Case in point: In 2014 BNP Paribas paid US$8.87 billion in fines to the US Department of Justice and others for violating US laws prohibiting US banks from doing business in Sudan, Iran and Cuba. According to the text of the enforcement action, the French bank avoided being caught by obscuring the names of the identifying account holders in the SWIFT network, either altering them or replacing them with the name “unknown.” BNP Paribas declined to comment for this article on any specific changes it has made to how it transmits and monitors wire transfer messages through the SWIFT network.
SWIFT currently requires that both Field 50 of SWIFT’s MT 102, MT 103 and MT202COV messages, identifying the originator of the payment, and Field 59, identifying the payee, be completed. However, SWIFT gives users of its network the choice of either using a structured format or narrative text. Bank wire transfer managers say it is a lot harder to catch illegal activity by comparing information in unstructured text with names on government watch lists or lists of embargoed countries.
The MT 102, MT 103 and MT202COV messages rely on SWIFT’s proprietary MT standard which does not comply with either ISO-compliant 15022 or XML-based ISO-compliant 20022 message formats. Instead, the standard has its own technical format which predates the use of the XML protocol. “The message types have been relying on free-format fields for originator and beneficiary information since they were first introduced in the 1970’s, says Stephen Lindsay, head of message standards for SWIFT. “They were fit for purpose then and basically still are.”
However, SWIFT will eliminate the free format option for the originator and beneficiary information in the three messages in 2020. The mandatory use of structured fields will result in a clear distinction between the name and the various elements of the address. ISO two-character country codes will also be required to be used to unambiguously identify the country of the originator of the payments and the country of the beneficiary of the payments.
SWIFT insists that the change in message formats is not related to the new European wire transfer rules, but the need to improve overall data quality. “Users of the SWIFT network can still remain fully compliant with the rules using the unstructured fields. FATF Recommendation 16 does not impose the use of structured fields and it is perfectly possible to comply with the rules using free format fields,” insists Lindsay. However, as he acknowledges financial firms do need to screen messages more efficiently to catch the bad guys without holding up legitimate transactions. To do so, requires automation and effective automation requires more structured and granular data.
Why wait until 2020 then? The three year gap between the time FTR takes effect and the time SWIFT alters its three MT wire transfer messages leaves banks with far more back-office work to do when monitoring their inbound and outbound wire transfer transmissions. They also face a higher potential for error. As Lindsay explains, although the reformatted MT102, MT 103 and MT202COV messages will still be based on SWIFT’s own technical format, the change to require the use of structured fields has far-reaching operational implications. Banks will need to populate details in a structured form to be carried through multiple systems before a message is generated in the back-office.
Even SWIFT’s best intentions can only go so far. Granted, if both Field 50 and Field 59 are not completed, the SWIFT network will not transport the wire transfer message. Yet SWIFT cannot verify most of the actual content of the MT message; it cannot know whether a name or address used is legitimate. It can only validate the ISO country code used to identify the originator and payee.
New York-based Volante Technologies, a message validation and transformation software provider, says it has come up with its own subscription-based payment message validation service called VolPay which will prohibit messages from being transmitted through the SWIFT network if they are incomplete or incorrect. The service can rely on either SWIFT’s syntactical rules or even more advanced semantic-based best practice rules set up by Volante’s users to comply with the new regulatory requirements.
“Even though SWIFT may allow its users to populate free format fields, Volante can enforce additional validation by rejecting any message that does not use structured fields,” says Ganesh Srinivasan, director of financial services at Volante. “Volante can also enforce rules that may have been bilaterally agreed with another party to use the free format fields, but in a structured way while still rejecting truly free format content.” Volante’s tool is based in its ability to inspect all of the content of a message and create processing and validation rules that extend beyond those created by SWIFT itself.
So far, six big banks are using the VolPay service launched last year. The benefit: financial firms don’t have to deal with the additional fees and costs involved with SWIFT rejecting a message and their having to send a new one.
Another Volante solution — the VolPay Channel: Beneficiary Self-Service Portal — also allows banks to verify the information about the beneficiary or payee of a wire transfer before sending a wire payment by sending the payee an email asking for the data. The email will contain the message that a firm wishes to remit a certain amount of money and the payee then clicks on a link to be taken to a secure web site. The payee can then enter their bank account details and currency in which it wishes to be paid.
Thus far, one Tier-one bank is using the beneficiary portal. “The beneficiary payments system is configured to communicate directly with the beneficiary and gather the relevant data while handling key aspects such as security and two-factor authentication to bind the process,” says Srinivasan. “Banks can reengineer a traditionally time-consuming and resource-heavy process to deliver better service and protect the end-beneficiary.”
Given that banks will want to increase the number of accurate wire-transfers sent and received, SWIFT has just launched a post-mortem service with Nordea as its first user. Users of SWIFT’s payment data quality service in the payments, cash operations, and compliance departments of banks can evaluate the details in the SWIFT wire transfer messages that were rejected.
The web-based service sets rules for messages related to the originator and beneficiary in the relevant fields and flags messages that falls outside of the regulatory rules for further investigation. Those substandard messages are given their own transaction reference numbers making it easier to find out just what went wrong. SWIFT’s analysis can identify the potential risk related to specific countries, counterparties and branches. Users of the new payments data quality service will be charged a subscription fee tied to the volume of their SWIFT usage.
“There is a widespread recognition within the global banking community that not all payments messages contain adequate and complete originator and beneficiary information,” says Lane Baltzasaisen, senior manager at Nordea Bank in a statement issued by SWIFT. “High-quality payments data is vital to a broad range of compliance activities, including sanctions screening, transaction monitoring and the detection of data anomalies in payments messages.”