Billion Dollar Fines won't fix AML

Is Finance, Fintech and Crypto so back and will we learn lessons from 2021? Plus, AML is still broken, Robinhoods largest acquisition & Revolut passes 50m users.

Welcome to Fintech Brainfood, the weekly deep dive into Fintech news, events, and analysis. You can subscribe by hitting the button below, and you can get in touch by hitting reply to the email (or subscribing then replying)

Hey Fintech Nerds đź‘‹

The vibe shift is real. 

Fintech markets are up, Bitcoin is at an all-time high, Revolut passed 50m customers, and Robinhood made its largest-ever acquisition. (Things to Know đź‘€)

Sponsor banks, crypto companies, fintech companies, and even banks feel like America is open to business again after the election. We’ll get a new FDIC chair, House Financial Services Committee Chair, and one party that controls the Presidency, House, and Senate.

I got a front-row seat at this week’s AFC Policy Summit in D.C. 

Several things happened at once. The Chair of the FDIC, Marty Grunberg, retired, whom one C-suite sponsor bank described as “the problem.” In reality, bankers with 20 to 30 years of experience had never felt pressure as they did in the last four years, describing it as “they kept looking until they could find a needle in the haystack.”

Embedded finance is back open for business.

As a fan of Fintech, I am happy that builders get to build again. We likely overcorrected with enforcement from the Fintech and Crypto booms of 2021. But FIntech and Crypto did have real issues. There are still consumers being harmed by a certain bankruptcy, FTX was a giant fraud and remember SVB?

I hope we don’t lose sight of what went wrong in the last Fintech Mania.

Let’s build better Fintech.

Let’s build Finance Accelerated (f/acc)

PS. I'm taking December off of running the newsletter. Running a weekly 4,000-word newsletter can be a grind. On top of a full-time job and being a dad to two young kids, I need to rest and focus on a few things I'm cooking up.

I'll be back towards the end of the year with a year in Review and the State of Fintech 2024 report.

Here's this week's Brainfood in summary

đź“Ł Rant: $3bn fines won't fix AML

đź’¸ 4 Fintech Companies:

  1. Five ID - The palm identity company

  2. Diesta - Reconcile and automate insurance payouts

  3. Credit Logic - The new Mortgage Origination platform

  4. Plumery - A Design System for FIs

đź‘€ Things to Know:

If your email client clips some of this newsletter, click below to see the rest

Weekly Rant đź“Ł

Why $3bn fines won’t fix AML

How we manage financial crime matters.

If you live near a border. If you've been impacted by the opiod crisis. If you or your family has been a victim of violent crime or scams from cartels, then you can draw a direct line between that harm and the type of AML failings we saw with TD Bank.

Yet this keeps happening. Something isn't working.

The definition of insanity is doing the same thing and expecting a different result. Yet despite decades of regulators handing out fines for AML failings, the problem is getting worse, not better.

Every time there's a large failure, the response is to throw people at the problem and tighten up controls. This helps for a short while but is a linear response to an exponential problem.

We live in a politically unstable world, where sanctions, tariffs, and targeted hacks are all massive new risks.

Facing these challenges the way we always did won't work.

Several trends are compounding the growth of financial crime.

  1. The fines don't create an incentive to solve financial crime well. They create an incentive to do it slightly better than terrible. Despite AML offenders paying $29.8bn in fines, they keep happening.

  2. Financial crime is a worsening problem. State-sponsored and organized criminals are becoming sophisticated in how they launder money globally.

  3. A lack of innovation. AML controls are rooted in legacy technology, culture, and fighting yesterday's war.

  4. Regulation is reactive, not proactive. It responds to failures or crises, but it's not designed to take advantage of innovation. It's also not global.

  5. Inclusion vs security. AML controls, like nearly all compliance rules create cost, high barriers to entry, and financial exclusion.

We have to fix this.

There are two primary wishes I have.

  1. We build more thoughtful engagement with and from regulators and Fintech innovators. The big companies that are most engaged with regulators are the ones that have the time and staff to do so. We have to balance that.

  2. We raise the bar in technology sophistication in supervisory and compliance functions. While some are excellent, the bar is low.

1. Financial Crime is getting exponentially harder to fight.

We're in a more uncertain world, where sanctions happen faster, and criminals have better technology.

The West's response to Russia's invasion of Ukraine has been spearheaded by sanctions. Any linked entity has had to find multiple ways around this sanctions regime to continue the business. Overnight banks and non-banks faced an explosion of names to add to their sanctions list, and monitoring systems were alerting like crazy.

Russian-based sanctions alone rocketed by 816%, adding 14,000 risk events in 2023. Yet. 95% of all alerts from the basic sanction screening techniques are fake. This is unsustainable.

Organized crime has gone global. Digitization made business global for criminals. Just as digital adoption spiked for everyone in the pandemic, the same is true for criminals. They can operate at a global scale.

Interpol

Arms dealing, drug trafficking, financially motivated cybercrime (ransomware), and counterfeit goods are global in nature.

Every stat you pull is staggering.

  • The International Labor Organization estimates that human trafficking generates about $150 billion in profits per year globally.

  • The UN estimates that transnational organized crime generates $1.6 trillion to $2.2 trillion annually as of 2022, equivalent to 1.6% to 2.2% of global GDP (Roughly the GDP of Brazil or Canada).

The result of all of this is companies now have to deal with a tsunami of alerts and SARs.

The total number of SARs filed in 2022 surpassed 3.6 million filings, an increase of 57% from pre-pandemic 2019 levels.

Thompson Reuters

If their default approach is manual and batch, they're getting drowned or missing things—likely both. The answer would be much more straight-through processing and automation.

The exponential growth of risk means that no matter how good the controls are, we'll keep seeing this kind of fine issue.

2. What happened with TD Bank will happen again.

The $3bn fine TD Bank received for serious Anti Money Laundering (AML) failures is just the latest in a long string of fines against banks for this type of failure. While each has remediation plans and takes steps to improve, the industry culture is to be not the worst, instead of really good.

That always seemed so broken to me.

Fines don't work; they just make things temporarily better.

The league table of Anti Money Laundering (AML) fines and penalties makes for ugly reading

The top 10 alone have paid a combined $29.8bn.

So why do we keep getting these headlines?

The US Government Accountability Office reported that of $9bn in collected penalties between 2009 and 2016, around $1.1bn went to law enforcement and $2bn to "victims." But the penalties aren't solving the problem.

Imagine if those fines went into funding R&D for fighting crime instead of just funding agencies.

Imagine if, instead of hiring staff and implementing more checks, we leaned into innovation and dynamism in problem-solving.

The problem?

We're in a perfect storm of AML and sanctions pain for anyone in financial services. Criminals are becoming more sophisticated, but our policies, controls, and approaches to R&D are not.

3. A lack of innovation is ballooning costs and excluding the vulnerable.

The default is to throw bodies at the problem.

That's unsustainable.

The stats don't lie.

  • Financial crime compliance costs have risen for 98% of EMEA financial institutions

  • Eighty-one percent (81%) of financial institutions prioritize cutting compliance costs in the next 12 months

  • 72% of organizations noticed rises in labor costs related to full-time employees and part-time salaries in the past 12 months

SARs are growing at ~33% CAGR. That's double the NASDAQ. (Yes, there's some element of companies raising defensive SARs, but that's not the whole story)

Take a worked example. A transaction monitoring system creates an alert because an account created multiple transactions just below reporting thresholds (e.g., $9,000) within a short time frame.

A batch rule would run overnight for an analyst to review this, perhaps the next working day. The analyst then has to start pulling together a case based on the raw data from the payments system, plus anything else they can find. Are these the only transactions? What other accounts are they going to? Is this the whole activity, or are there other linked accounts?

Imagine trying to figure that out from raw, CSV-like data.

That's why there's so much manual work in compliance.

Compliance creates costs that make low-income segments unprofitable to serve. If the cost of onboarding a customer through KYC who happens to be an immigrant from a sanctioned country is too high, most FIs won't take that risk. That immigrant could be a refugee or skilled migrant worker. But often that doesn't matter.

To fill this gap, Fintech companies have a lower cost to serve but often try to include those vulnerable populations. There's one huge catch.

Criminals often come from high-risk areas and populations.

It's almost impossible to serve high-risk populations without also having a much higher risk of criminal activity. If you're concerned about risk, the rational thing to do as an FI is not to serve the vulnerable. They're too expensive and too risky.

This default to legacy technology and processes is a culture issue compounded by reactive and not proactive supervision and regulation. The regulators have a serious and correct point: They should first require an organization to understand its risks before it starts to control them.

But there's also a quiet-part-out-loud, nobody-gets-fired-for-buying-the-legacy-tool problem.

I had a conversation last week with a very senior compliance officer from a major Crypto organization who said, "we bought <legacy vendor> because we knew it would give the regulator comfort, but its shockingly bad at actually detecting the type of risk we have."

The shift to effectiveness needs to be data-driven for FIs and supervisors. Knowing if your compliance policy works is a surprisingly hard question to answer. You can't catch crimes you don't detect. But you can constantly review historic data, based on new evidence and change things.

Back-testing and sample testing are core parts of second-line support and ongoing risk assessments. However, the cultural default has been to do this on 0.5% of users or less and with output from legacy systems. Compliance teams are flying blind. It's now much more common for Fintech companies to benchmark effectiveness in real time on 100% of the user population.

None of this is impossible; it's just not where the bar is. It should be.

While the lack of innovation is causing operational issues, there's an even more fundamental problem at play.

4. The gap between AML supervision and innovation

  • AML law is set without regard to or experience of modern implementation

  • AML policy is held back by the lack of a ground truth register of identities, companies and underfunded law enforcement

  • The AML problem is global, the implementation is national.

AML Policies are often set without the experience to implement innovative solutions. AML laws and rules are created by tenured professionals who deeply understand crimes and threats. However, they are not always created by engineers and entrepreneurs. As a result, we get a policy from policy folk, for policy folk often from the world's largest organizations.

This policy creation approach is well intended. Everyone is trying to do the right thing. The issue is that getting in the room to shape the discussion requires the budget to travel to the room and the relationships to be invited in the first place.

There's almost no way to try new things.

It's the precise opposite to how criminals work and evolve their attacks. They don't sit in committee rooms when coming up with policy documents. They try shit, and if it works, they do it more.,

If you're great at AML technology, you're probably building it, not shaping policy. We have to close that gap.

AML policy is hampered by poor global identities, complex company hierarchies, and underfunded law enforcement. Creating a company is trivial. Have you ever done it? It's so easy and cheap. Almost no KYC is required to create a company; all that effort happens at banks.

If you're a criminal, you intentionally exploit the system's weaknesses.

  • A criminal can quickly create a small UK LTD company or LLC but have it really be owned by an offshore trust company in the Cayman Islands, which has owners via Panama, and suddenly, the paper trail gets harder to unravel.

  • Then they'll look for the small bank, branch or Fintech company that doesn't do sophisticated UBO checks

Even if a bank spots that and raises it with law enforcement (via a suspicious activity report or SAR), the law enforcement agencies might not take action because they lack the funding, tools, or talent to follow up.

Adopting new tools or recruiting talent often gets stuck in the clunky public sector procurement process (except Palantir). We need some AML dynamism.

Criminals are a global issue; implementation can only be done by nation-states and bodies. The Financial Action Task Force (FATF) creates recommendations and guidelines adopted by United Nations member countries. Yet it consistently finds that implementation varies wildly in everything from how statistics are reported to how controls are implemented and how effective they are.

We're left playing whack-a-mole with digital tools, trying to chase down bits of paper, PDFs, or CSVs to fight an exponential problem. Consistently, the solution appears to be to "hire mo' people."

It's not working.

5. Solutions: AML Regulation and Policy

The primary purpose of the Financial Action Task Force is to harmonize and drive the adoption of financial crime and AML rules globally. Much of this involves humans thinking, sharing knowledge, and making laws.

But almost none of it involves tech.

That's a giant missed opportunity.

If I had a magic wand, I'd love FATF to

  1. Set up a working group for data-driven supervision and control. This would include the world's largest banks, Fintech companies, and a handful of regtech companies.

  2. Create standards for effective, data-driven control. The objective would be to produce a set of technical standards for performing AML effectiveness testing, updating SARs and policies, and publishing to GitHub.

  3. Create standards for private by design data sharing. Financial institutions can share information through a patchwork of local and international rules

  4. Move from creating PDFs to creating API specs. Looking through the last 12 months of publications, you will find barely any mentions of how technology or data should be used.

Now, replicate this for any regulator on a national or regional level.

The problem with regulation is it's often constrained by law-making and low budgets. Most people I've met at regulators are woefully underpaid compared to what they could make in the private sector, and their tools are ancient.

Bridging the gap between policymakers and implementers. We need direct engagement between innovators and regulators. Often, those in the plenary and the room with the regulator are those with the budget to have a government relations team or staff. That skews to the incumbents. We had a cycle of regulatory innovation "offices" that fell out of fashion but have never been more needed. Please bring those back.

Then maybe we'll all get a little bit further, a little bit faster.

6. Solutions: Upskilling AML Ops

Embracing technological innovation in AML practices. New tools exist. Of course, plenty of innovative tools can help (like Comply Advantage, Sardine*, and Hummingbird). However, the practical reality is that most FIs and the long-tail of non-banks haven't built or bought this level of sophistication.

What they've done instead is gradually add more and more complexity to a legacy stack.

Embracing these innovative tools requires a workforce capable of leveraging them effectively. Therefore, improving data literacy and AI adoption among compliance professionals is crucial.

Improving data literacy and AI adoption among compliance professionals. Compliance officers and supervisors need to be data literate and actively able to use AI tools. This is non-trivial to achieve, but if we're going to make a difference, we're going to have to adopt new tools and ways of working.

That gets a lot easier if policy has given the space. While there's nothing implicitly written that says you can't use AI. The culture of examination and procurement makes doing new things feel risky.

Summary

The biggest unlock is the permission to innovate.

If we want to escape the endless cycle of giant AML failings, followed by fines, and hire people to do manual work, we must change our defaults. The new default is adopting new tools, being data-driven, and a culture of willingness to tryin new things.

We have to do better if we want to control crime and unlock economic opportunity.

Yes.

On some level, friction is inevitable if you want some systemic security.

However, our policies for AML (and compliance generally) aren't upgradeable; they are underfunded and impact everything we do.

All of this can be changed.

Let's change it.

ST.

🧠 If Fintech Brainfood did a training course, what should it be about? I get asked to do this a lot, so I've put together a survey. I'd love your thoughts. Give this link a click. It will take 30 seconds and your answers will help me massively 🙏

4 Fintech Companies đź’¸

1. Five ID - The palm identity company

Five ID's proprietary tech enables palm identity verification and payment authentication. Palms are considered a good balance of low-friction and high-security biometrics. The team is ex Revolut, Wise, Amazon, Onfido and they're building custom POS hardware.

🧠 Hardware is hard, but the timing could be good. Over the last few years, Amazon has tried and failed with palm-based payments several times in Whole Foods and elsewhere. The palm could be a good way to use the point-of-sale device as a way to build a new payment channel, but distribution is critical. Who do you partner with? Adyen? Stripe? FreedomPay? And why will merchants adopt this? The better wedge is something like CLEAR at airports. Get people where they already have a need.

2. Diesta - Reconcile and automate insurance payouts

Insurance providers give Diesta an insurance policy, bank payment details, any statements and contracts. The service can also automate policy payment collections and aims to lower admin time and expenses when paying out on a claim. It provides one standard gateway to all bank partners and handles the reconciliation of multiple accounts.

🧠 The Finance Ops stack for insurance is a vertical we'd been missing. You have to imagine this is a fairly major category. It feels like insurance is finally joining the digital transformation revolution; embedded insurance is picking up, and the internal stack is changing.

3. Credit Logic - The new Mortgage Origination platform

Credit Logic dramatically simplifies the user experience of mortgage applications. It helps lenders integrate countless data sources into a single dashboard, reducing processing times by 90% and operating costs by 50%.

🧠 Mortgages are the key profit center for banks; it's wild that the experience in the U.K. is still so poor by default. We know removing friction improves conversion. They already live with two of Ireland's largest lenders (AIB and PTSB) and want to expand into the UK. I think they have a great shot.

4. Plumery - A Design System for FIs

Plummer is a set of developer-facing APIs that enables rapid application development and deployment for banks. The service allows banks to build on modern or legacy core banking platforms. It's helping F.I.s slowly strangle their legacy cores and move to a new platform.

🧠 The long game for banks is to get closer to Nubank-like unit economics. The annual cost to serve for a company like Nubank is closer to $10; for a bank, that is at least $100, often 2 or 3x more. Many banks are now looking for an application platform that sits above the legacy and a modern core. This allows them to develop at the speed of Fintech while slowly migrating from legacy to modern over multiple years. (This was always the vision with 11:FS Foundry FWIW).

Things to know đź‘€

1. Revolut passes 50m users and may want to buy a US charter

CEO Storonsky also told investors in Helsinki “In the US, you need to be credit driven. We need to have a banking license to launch a product,” reflecting on earlier mistakes he added that it was a mistake to wait to get regulated. It’s much easier to do when you’re small not at scale.

Revolut also announced it now has has 50m customers globally, with 10m in the UK, in a big year where the company saw a $45bn valuation and received its UK PRA banking license with restrictions.

🧠 Timing for acquiring a charter could be good. This is a well worn path that we saw LendingClub and SoFi execute. With a change of administration, the timing may be now for their US market entry.

🧠 License first, scale second challenges the orthodoxy of Fintech. It might explain Revolut’s recent US banking licence, and flips how companies go about market entry.

🧠 The user growth is driven by Europe, a traditionally hard market for hypergrowth. Despite being perceived as not a growing region, countries like Poland and Spain are doing very well economically, and Revolut is well positioned there.

🧠 Will a license unlock US growth or a US listing for IPO? They’ve been trying for five years or so but haven’t gotten real traction. It’s a super competitive market, and a license will help drive economics, but I’m not sure it gives them a right to win. But it does give them a real reason to IPO there. Maybe they move into M&A?

🧠 Can they grow in LATAM or MENA? Revolut is consistent, blitzscaling and executes, but they’re not the only player in these markets. Like the US they’re becoming more competitive.

🧠 They could be the first “global” digital bank. I wouldn’t bet against Revolut on anything at this point. They’ve consistently proved the haters wrong.

Robinhood has acquired TradePMR for $300m, a platform for Registered Investment Advisors with 1000 RIAs and $40bn under administration. For the medium term the goal is to leave TradePMR alone to operate, but long term there’s a few possible implications.

🧠 RIA’s need a strong digital channel for the $80trn wealth transfer. As boomers begin to pass on their assets to their families, often the RIA loses the customer and their assets. If they can meet the younger generation where they already are (like Robinhood) this is a big retention hook.

🧠 Robinhood is a custodian, so could one day gain $40bn AUM. Most assets in RIA today are custodied with incumbents like Wells Fargo, but moving that to Robinhood would be a huge win.

🧠 It helps Robinhood expand to more sticky, less volatile revenue. The average Robinhood customer has $6,000 of assets and an ARPU of $100. Revenue varies with the market cycle. Robinhood has diversified with a Roth IRA, Gold, and its Gold Card (via the X1 acquisition). RIA’s make 1% of all assets, the servicing firm and custodian get a good piece of that.

🧠 This is a $trn TAM market where 75% is owned by incumbents like Schwab. There’s room for a competitor in a market that’s poorly understood.

Bloomberg reports that Brazil’s Nubank is considering moving its headquarters to the UK despite being listed in the US. Klarna also recently set up a UK-based Holdco ahead of its IPO. Why?

🧠 Corporate overhead and regulation in HQ jurisdictions like the Cayman Islands are becoming more difficult. (Nubank has its headquarters in Cayman today.) As part of the crackdown on international tax evasion and AML, offshore jurisdictions are becoming harder places to do business. If that hurt stock futures, companies would go shopping for jurisdictions.

🧠 The UK is politically stable, and UK law is generally perceived as fair. UK regulators are accessible and there’s a strong talent base in financial services and law (it’s uncanny how much work the UK law firms do in global finance).

🧠 Why not Ireland? Apple and Stripe are there for the low corporation tax. However, Ireland is a hard place to be a financial services business with a large headcount requirement and Irish “substance requirements” can be a time killer for companies that have automated much of the work.

Good Reads đź“š

Wow. Alex goes hard on this one. The summary is that the market has a barbell of data approaches. The corporate: We will take all of your data, but don't worry, it's good for you. Vs. The consumer advocate: NO consumer data should be taken if it's negative in any way. Alex pictures this as a spectrum that sums up the tensions perfectly.

That's all, folks. đź‘‹

Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)

(1) All content and views expressed here are the authors' personal opinions and do not reflect the views of any of their employers or employees.

(2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a *. None of the above constitutes investment advice, and you should seek independent advice before making any investment decisions.

(3) Any companies mentioned are top of mind and used for illustrative purposes only.

(4) A team of researchers has not rigorously fact-checked this. Please don't take it as gospel—strong opinions weakly held

(5) Citations may be missing, and I've done my best to cite, but I will always aim to update and correct the live version where possible. If I cited you and got the referencing wrong, please reach out