The Regulatory and Technological Challenges of Perpetual KYC

The Perpetual KYC (pKYC) solutions offer a high degree of convenience, time-saving, and cost-saving for regulated entities. Still, the regulatory and technological challenges of pKYC need thorough consideration before regulated entities implement pKYC solutions.

This infographic discusses the challenges that Regulated Entities must be mindful of while attempting to implement pKYC measures for their business.

The regulatory and technological challenges that act as obstacles to pKYC implementation are discussed as follows:

Data Privacy Concerns:

Regulated Entities intending to implement pKYC must consider the prevailing data privacy regime in UAE. Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data contains a framework to ensure that the privacy of individuals in UAE is not compromised. Regulated Entities must ensure that they select and implement a pKYC software that is compliant with data privacy laws in UAE as well as laws prevalent in countries from which customers of the regulated entity belong to.

The challenge here is navigating the variation in data privacy laws across various countries and the concern of the personal information of customers being sold or misused for marketing or other purposes by the vendors of such pKYC platforms. The process of pKYC entails the collection and analysis of a huge volume of data in real-time, which requires fail-safe data privacy protocols.

Regulated Entities must ensure that pKYC software that they select is compliant across all required parameters and conduct due diligence, software testing and validation before shifting to a pKYC software for fulfilling its KYC obligations.

Data Security Concerns:

Data Security concerns arise whenever using any software or tool as there exists the risk of malware, phishing, ransomware attacks, or social engineering attacks designed to obtain sensitive personal information from the customers or acquire login or authentication credentials. Regulated Entities must ensure that hackers and cybercriminals don’t end up stealing customer information and compromising the privileged and private information of customers. Regulated entities must ensure that the pKYC software they select and implement uses adequate encryption and security protocols to protect data from the risk of leakage and misuse.

Integration Challenges:

Another set of challenges that regulated entities face is the integration of pKYC software with existing AML compliance, customer relationship management, or client management software and re-tuning workflows and task allocation or task assignment across various personnel in the regulated entity. Regulated Entities must ensure that the pKYC tool they select can be integrated with existing systems for seamless pKYC implementation.

Regulatory Compliance:

Regulatory compliance is the purpose of opting for pKYC, however, it comes with its own set of compliance challenges for Regulated Entities such as ensuring that pKYC tool selected works as intended and within defined and acceptable parameters.

Conclusion

The prospect of implementing pKYC for ensuring a lesser KYC remediation burden and improve money laundering or terrorism financing risk mitigation is a smart choice however, Regulated Entities must be mindful of regulatory and technological challenges and must take adequate measures to reduce such challenges for easier pKYC implementation.

From Re-KYC to Perpetual KYC: The New Standard in Compliance

Re-KYC (Know Your Customer) or reviewing KYC details or KYC refresh is a mandatory Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) requirement in UAE. The guidelines for Designated Non-Financial Businesses and Professions (DNFBPs) provide for periodic updates of Customer Due Diligence (CDD) information. However, in an increasingly dynamic technological landscape, the concept of perpetual KYC or pKYC has emerged.

This infographic strives to bring out the characteristics of pKYC, which compensate for and overcome the shortcomings encountered during the re-KYC process and emphasizing how re-KYC is the new standard in AML compliance, making selection and switch to pKYC a smarter choice for DNFBPs for mitigating their money laundering and terrorism financing risks (ML/TF).

Here are a few pointers indicating how pKYC outperforms reKYC.

Better ML/TF Risk Management:

Better ML/TF risk management can be ensured with the help of perpetual KYC. For instance, perpetual KYC identifies and notifies about material changes in customer KYC information in real-time whereas the factors triggering the re-KYC process are event or frequency-based, leading to the perpetual KYC approach being proactive in risk mitigation in contrast to the reactive mode of re-KYC where the circumstances, timing, and frequency of re-KYC work in a pre-determined or pre-set manner, not considering real-time changes in customer information.

In re-KYC the review of customer profile or KYC information is done on the basis of the customer risk rating assigned to that particular customer, and a blind spot exists where there might be a material change in customer’s KYC details leading to a change in their customer risk rating from low to high, which would go unnoticed until the pre-determined re-KYC cycle is triggered, creating loophole for ML/TF actors to find their way into the economy through the DNFBP. Perpetual KYC in turn protects DNFBPs from ML/TF risks by real-time identification of changes in customer KYC information.

Streamlined KYC Remediation:

KYC remediation is a process which analyses the validity and relevance of the KYC procedure conducted by a DNFBP to find any inconsistencies or anomalies and remedy them in a timely manner.

The biggest contribution of the adoption of pKYC practice through a tool or software is with regards to streamlining the KYC remediation process by reducing the instances requiring KYC remediation by addressing most changes in customer profiles in real-time, reducing the need to remediate errors or issues found during KYC remediation process in future. This new standard set by pKYC outperforms reKYC whose accuracy and relevance can only be found during KYC remediation.

Enhanced Data Quality:

As changes in customer details are tracked in real time through pKYC, the data quality of CDD information is enhanced due to not becoming redundant due to document expiries. Redundancy is one aspect; pKYC also helps enhance data quality due to it being dependent on Artificial Intelligence and Machine Learning, or a combination of both components, which accepts or synthesises customer data and stores it in a prescribed format, resulting in better data quality for record-keeping as well.

Also, when the currentness of customer data is compared among re-KYC and pKYC, pKYC outperforms reKYC, making it new standard in AML compliance, as customer data in reKYC is only as current as the latest KYC review or refresh cycle, whereas customer data collected through pKYC is always the latest and updated.

Enhanced Operational Efficiency:

With better ML/TF risk management, streamlined KYC remediation, and enhanced data quality for CDD procedure, a DNFBP is bound to achieve enhanced operational efficiency through adoption of pKYC as it solves a lot of delays, overlaps, and internal coordination requirements among the members of AML compliance team and KYC analysts in conducting re-KYC, KYC remediation, and ongoing monitoring of business relationships through automation and intervention through notifications and alerts only when anomaly or red-flags are detected.

World-Class Customer Experience:

What helps with world-class customer experience is the customer-centric focus that anticipates customer issues and strives to drive solutions rather than shift the burden of KYC compliance on customers. Perpetual KYC is one such solution that embeds compliance in the customer lifecycle or customer journey, always keeping track of changes in customer KYC details, reducing the friction that may arise during the KYC remediation process. The use of technology for pKYC and training personnel to handle pKYC tools gives a competitive advantage to the DNFBP, thus enhancing customer experience and making pKYC a new AML compliance standard.

Compliance Cost Reduction:

To better understand how pKYC helps with compliance cost reduction, it’s important to understand compliance cost reduction is the result of multiple factors, such as enhanced operational efficiency being a major contributor along with a streamlined KYC remediation process. The proactive approach of pKYC helps in bringing down the cost of compliance in the long run. It facilitates in lessening the cost of KYC remediation as it helps update customer information and documents in real-time, helping ensure the relevance of customer details and documents, and tracking any shift in customers’ risk profiles, reducing situations warranting KYC remediation and bringing down compliance costs.

Conclusion

To conclude, when a DNFBP thinks in terms of having a KYC model that embodies principles of risk-based approach, perpetual KYC is the answer, helping the DNFBP to re-calibrate its ML/TF risk mitigation measures in real-time in alignment with changes in customer’s KYC information which makes pKYC a new standard in AML compliance.

Why Real Estate Appeals to Money Launderers: A Closer Look

The Real Estate Sector is considered at significant risk for Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF). Such a ML/FT and PF risk to the real estate sector originates from various features of the real estate business itself. This infographic digs deep into finding out why real estate appeals to money launderers and has become a preferred conduit to disguise their illicit money.

The factors contributing criminals and money launderers to prefer real estate as a mode for money laundering are discussed as follows:

High-Value Transactions:

The subject matter of real estate business is property, be it housing or commercial which is a highly valuable asset whose value tends to appreciate. Due to the high-value nature of the real estate, it ends up supporting high-value transactions. This feature attracts money launderers as they can disguise large amounts of illegally derived funds through the purchase, rent, or sale of real estate, which provides an opportunity to place, layer, and integrate illicit funds into the financial system.

Real estate can also be bought or sold through cash, making it even more vulnerable to criminals who pump their cash and park or invest it in the form of property.

Cross-Border Transactions:

Many Real Estate projects are undertaken on an international scale with the goal of attracting foreign investors and funding.

However, this feature of the real estate sector comes with its own set of risks. The risk here lies in facilitating payments and disbursements of funds across borders.

The cross-border transaction facility provided to investors often gets misused by money launderers outside the country to funnel their illicit funds from one country to another in the guise of a real estate transaction, thus helping with the layering and integration of illicit proceeds.

Even the most experienced bankers and transaction monitoring analysts face ambiguity while deciding whether the real estate transaction across borders is a genuine one or an illusion created by money launderers to launder illegal funds as both the genuine or ill-motivated cross border transaction exhibit similar features such as routine disbursements, routing of funds to and from different jurisdictions to pay for real estate, inward remittances from offshore accounts, etc.

Involvement of Intermediaries:

Real estate transactions and dealings do not require the parties to the transaction to appear in person to execute a real estate agreement or sale/purchase/mortgage/lease deed as this task can be delegated or assigned to intermediaries such as real estate agents or agencies specialising in facilitating real estate transactions for individuals or entities across the world. With the involvement of such intermediaries, it becomes difficult to identify the authenticity, legitimacy, and intent of the parties to real estate transactions, making it an easy target for money launderers.

To add to the vulnerability, the involvement of gatekeepers such as lawyers, accountants, and conveyancers as intermediaries adds to the difficulty in identifying the involvement of money launderers or criminals behind the transaction as gatekeepers create an image of authenticity.

Concealment of UBOs:

As real estate transactions involve legal entities entering transactions, it appears on paper and on surface that a legal entity or a legal arrangement is entering a real estate agreement and transaction through their authorised signatories.

However, the ML/FT and PF risk lies behind the identity of the actual puppeteer, i.e., the natural person possessing significant control or beneficial ownership (also known as ultimate beneficial owner -UBO) of such a legal entity or legal arrangement. It is possible that the beneficial owner or person with a controlling interest is a criminal who is getting business done through the mask of a legal entity or legal arrangement.

The purchase/sale/lease of real estate can be conducted by money launderers by hiding their true identities through misuse of complex business structures such as shell companies, trusts, fronts, nominees or nonprofit organisation etc.

Anonymity and Privacy:

Many real estate transactions these days are executed by persons holding Power of Attorney (POA), which provides anonymity to the UBOs behind the transaction, also the use of virtual assets to execute real estate transactions makes it attractive for money launderers to further their money laundering motives as virtual asset transactions provide anonymity to the originator as well as the beneficiary of the virtual asset transaction.

Subjectivity around Valuation:

Launderers can buy/sell/lease real estate at any value (usually higher than market value), usually as a tool to commingle illegally gotten money with legitimate earnings or profits by exploiting the subjectivity around the valuation of a real estate property as its value inflation can be justified through renovations and refurbishments to manipulate property price that confuses or convinces the authorities that subject matter of transaction is indeed quoted justly, facilitating money laundering by exploiting subjectivity around valuation.

Conclusion

Real Estate businesses and aspirants such as buyers/sellers/lessors and lessees need to beware of the underlying ML/FT and PF risk to the real estate sector and must enter into business relationships by ensuring adequate due diligence.

Countering Trade-Based Money Laundering

Trade-Based Money Laundering (TBML) is a widespread money laundering typology. This infographic elaborates on how Regulated Entities can effectively counter TBML by adopting risk-based countermeasures. Let us delve into each of these countermeasures in depth as follows:

Robust AML/CFT Policies and Procedures

Regulated Entities must ensure that they formulate and implement Anti Money Laundering and Counter Financing of Terrorism (AML/CFT) policies and procedures after considering TBML risk specific to the Regulated Entity by having at their core, a risk-based and risk-sensitive approach. A risk-sensitive AML/CFT policy and procedure should be devised after carefully weighing the TBML risk specific to the Regulated Entity.

Regulatory Oversight

Regulated Entities can successfully counter TBML risks by ensuring Compliance with applicable AML Laws and Regulations. The AML/CFT laws applicable to Regulated Entities in UAE are as follows:

Federal Decree by Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing.
The Cabinet Resolution No. (134) of 2025 Concerning the Executive Regulations of Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons.
Cabinet Resolution No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolutions.
Cabinet Decision No. (109) of 2023 On Regulating the Beneficial Owner Procedures.

Transaction Monitoring

As TBML is a transaction-heavy money laundering technique, it makes rational business sense for Regulated Entities to invest in a Transaction Monitoring tool or software. A transaction monitoring tool helps Regulated Entities to identify suspicious transactions and transaction monitoring related red-flags. Regulated Entities must be mindful of ensuring that they impart adequate and training to staff for using transaction monitoring tools for identifying TBML red flags to make the most of it.

Information Sharing

Regulated Entities must define within their AML/CFT policies and procedures methods for uniform sharing of information across branch offices, holdings, and subsidiaries spread across the globe. Such information sharing protocols must take into consideration, the applicable Data Protection and Data Privacy laws applicable across the globe. This information sharing protocol plays an instrumental role in identifying and mitigating TBML as secure sharing of information is important in identifying common areas posing TBML risks.

International Cooperation

Ensuring Compliance with internationally accepted AML Standards, such as Financial Action Task Force (FATF) Recommendations, interpretation notes, and publications to combat TBML, helps Regulated Entities ensure that they keep pace with internationally accepted standards and norms which facilitates with ease of doing business across the world.

Training and Awareness

Regulated Entities must ensure that they define Role Specific AML Training and Awareness program for their personnel which shall be helpful in combating TBML risks. This training must focus on making the personnel aware of the TBML typologies such as TBML through invoice manipulation and TBML red-flags. Policies must also define the frequency and means of training delivery into the AML Policies and Procedures.

Leveraging Technology

Regulated Entities must delegate manual AML Compliance processes to unified AML software solutions such as follows:

Record-Keeping

Regulated Entities must ensure that they maintain records of their TBML countermeasures to ensure adequate regulatory compliance. Regulated Entities must be careful about duration for which AML records have to be maintained according to Supervisory Body they are governed by.

These tools and software help regulated entities counter TBML risks by saving time and resources consumed by manual AML compliance processes.

Conclusion

Adequate TBML countermeasures, such as risk-based AML policies and procedures and leveraging technology, help Regulated Entities combat TBML risks easily.

Unmasking Invoice Manipulation in Trade-Based Money Laundering Schemes

Trade-Based Money Laundering (TBML) is a commonly used typology or method by money launderers. It involves manipulating international transactions of goods that can be traded. This infographic discusses how money launderers carry out TBML by manipulating invoices of goods traded across international borders and methods of invoice manipulation such as over-invoicing, under-invoicing, and multiple invoicing, including suggestive TBML risk mitigation measures to combat TBML through invoice manipulation.

Check out Unmasking Invoice Manipulation in Trade-Based Money Laundering Schemes now and safeguard your business from ML, TF, and PF risks.

TBML process is quite similar to usual money laundering, which involves placement, layering, and integration. Here, placement is done by providing scope for introducing or commingling illicit proceeds with legitimate proceeds by manipulating the value of goods imported or exported by manipulating invoices of such goods.

This manipulation of invoices is done by over or under-invoicing or placing multiple invoices for a single cluster or batch of goods. The manipulation of invoices facilitates the layering of illicit proceeds, separating them from the original illegal source by providing a facade of legitimacy through manipulated, tailored, or doctored invoices. Lastly, integration happens when such goods are sold in the open market.

Invoice manipulation is a TBML technique used by money launderers. It facilitates TBML by misrepresenting the quality, quantity, and price of goods in the invoice.

Common TBML Typologies Using Invoice Manipulation

Over-Invoicing or Under-Invoicing

Over Invoicing: Involves receiving invoices from sellers and suppliers at an inflated value compared to their market value.

Under Invoicing: Involves receiving invoices from sellers and suppliers at a price lower than market value.

Multiple Invoicing

Involves receiving more than one invoice for a single transaction.

Mitigation Strategies to combat TBML through Invoice Manipulation

Common ML/FT and PF Risk Mitigation Strategies to Mitigate Invoice Manipulation:

Some of the standard methods to counter TBML through invoice manipulation are:

Sanctions Screening, Politically Exposed Person (PEP), and Adverse Media Checks:

Businesses involved in international trade transactions need to carry out sanctions screening of their customers/suppliers, importers and exporters to ensure that the individual or ultimate beneficial owner behind such transactions is not a sanctioned individual, PEP or has any relevant or material adverse media against their names. This possibility must be ruled out to eliminate the probability of money laundering through the trade transaction.

Deploying Adequate Transaction Risk Assessment:

Businesses in UAE must take adequate measures to ascertain or identify the level of TBML invoice manipulation risk posed to their business and deploy risk-based measures to mitigate such risk by putting in place transaction risk assessment measures. A transaction risk assessment process would facilitate identifying potentially suspicious trade transactions. Further transaction monitoring software can be configured to suit business-specific risks by using machine learning models combined with the power of artificial intelligence (AI) to automate such transaction risk assessment processes that generate alerts when any anomaly is found.

Devising Robust Supply Chain Controls:

Having in place a well-strategized Supply Chain Policy enables businesses to define and document the processes, timelines, workflows, parameters, and controls through which it shall closely monitor its trade activity involving inflow and outflow of goods. Especially in the case of dealers in precious metals and stones, supply chain policy or ethical sourcing policy is a requirement in many jurisdictions. Such a supply chain policy would enable businesses to devise and implement supply chain controls to curtail TBML in the following ways:

Defining adequate TBML identification measures and monitoring of TBML risks
Defining the timing, frequency, extent, and depth of personnel training, enabling them to identify TBML red flags and typologies.
Defining areas or jurisdictions and trade routes that are usually associated with TBML red flags.

Assessing Business Rationale:

Identifying the business rationale or purpose of business behind every invoice helps ensure that proposed trade transactions are well within a business’s risk appetite. If the business rationale is absent, it is a major red flag that the invoice or transaction is unusual, requiring further investigation.

Closely conducting Transaction and Inventory Monitoring:

When inventory and transactions are closely monitored, there is no room for manipulation of invoices from internal factors that might facilitate money laundering or TBML motives. When inventory and transaction value are coherent, the TBML risk is significantly reduced.

Deploying Invoice Verification Tools:

Technology is always a smart move when running any business with a high volume of transactions. Usually, the businesses involved in trade activities are invoice-heavy. Invoice verification tools are automated software that checks product descriptions, invoice particulars, invoice numbers, dates, etc. This helps prevent TBML through multiple invoicing and over or under-invoicing.

Specific TBML Risk Mitigation Strategies

Over-Invoicing or Under-Invoicing:

Assessing Product Category: Checking the product category, whether the product is prone to duplication, and whether its quality is worth the price quoted and entered into the invoice helps mitigate over or under-invoicing of such a product.

Ascertaining Unit Price Accurately: To prevent misrepresentation of invoice price through quantity, the price per piece helps verify the invoice value claimed.

Comparing Quantity Unit Price and Market Value Against Invoice Price: Ultimately, cross-checking the quantities of goods mentioned in the invoice, their per unit and order price, and the market value of similarly traded goods helps identify if any invoice presented to a business is over or underpriced.

Multiple Invoicing

Checking the Date of Transaction: Checking the date of transaction for an invoice is a general best practice and a TBML risk mitigation method. It helps identify the period for which the invoice is claimed, further cross-verify its authenticity, and avoid multiple invoicing.

Checking Invoice Number: Checking and verifying invoices through the invoice number is the best way to avoid the same invoice being used twice to claim or process the payment. It helps cross-verify the invoice and its particulars across different sets of databases pertaining to the same invoice or order number, thus helping identify if TBML through multiple invoices is attempted.

Checking Invoice Particulars: Checking invoice particulars for preventing TBML involves verifying the quality, product description, quantity, invoice number and other invoice attributes to make sure that the invoice in question is not manipulated, duplicated, or tampered with, forged, counterfeit or neither the particulars within the invoice are erased or added to make it look like a different invoice for multiple invoicing, thus establishing its legitimacy, which helps mitigate multiple invoicing risk.

Checking Product Description: Product description checking helps prevent TBML by confirming that a product for which a particular amount is billed is worth the amount it is billed for. This leaves no room for invoice duplication, which facilitates TBML through multiple invoicing.

Conclusion

TBML is a widely used methodology by criminals to launder money by manipulating invoices of tradeable goods across international borders. Having an adequate TBML invoice manipulation mitigation strategy helps prevent TBML invoice manipulation risk effectively.

Strengthening Transaction Monitoring through Unusual Sign-In Detection

Advanced Anti-Money Laundering (AML) software is a big step forward for regulated entities such as Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) in taking a Risk-Based Approach (RBA) when onboarding a client as well as for ongoing monitoring for transactions and business relationship.

Transaction Monitoring software provides a combination of unusual sign-in alerts to help regulated entities identify anomalies and safeguard themselves against ML/TF/PF risks. Types of suspicious sign-in alerts that AML software must be configured to generate are as follows:

Geolocation Discrepancy Alert

AML software with transaction monitoring features can help businesses detect transaction-related red flags by sending the software user a geolocation discrepancy alert when any deviation from the usual location of customer login is observed.

Geolocation discrepancy alerts can help the regulated entities in detecting ML/TF/PF typologies such as unusual transactions between distant locations, rapid pass-through of funds between accounts belonging to high-risk jurisdictions or simultaneous login from multiple locations or countries unrelated and unusual for the customer profile.

Multiple Failed Login Attempts Alert

Another alert that helps monitor unusual transaction patterns is a multiple failed login attempt alert. This helps the regulated entities in taking timely action by AML software alerting them of potentially suspicious behaviour. Multiple failed login attempts within a short period or a series of failed attempts can be a sign of malicious activity, as criminals can use such tactics to gain unauthorised access to legitimate accounts, putting customer data privacy at risk.

Transaction Monitoring software records the number of failed login attempts for every account and analyses their frequency over a specific time period. It further checks if any bots or such tools are used to login to generate an alert, thus preventing misuse or access by a third party or misuse of a customer account for mulling, which is a money laundering typology.

Unusual Time to Transact Alert

AML software with ongoing and transaction monitoring functionalities can analyse the client’s regular transaction pattern. If there are any deviations in terms of date and time, for instance, if there are multiple transactions late in the night or on weekends or at times when the client is typically inactive, then such transactions are alerted. AML software backed by machine learning and behavioural analytics can also be customised to flag alerts if the transactions do not occur within a set period.

Device or IP Address Mismatch Alerts

Clients often use multiple devices, such as their mobile phones and work or personal laptops/desktops, for transactions and during remote or non-face-to-face onboarding, usually known as the Know Your Customer (KYC) or reKYC process. However, if there is client activity from multiple unknown, unusual or new devices within a short period or if the client’s device or IP address location is geographically distinct from the geographical data provided by the client, indicating the use of proxy or VPN, then such transactions can be indicative red-flags. AML software can also check for cookie matches to check for identifying fraudulent patterns.

AML software supported by behavioural biometrics can distinguish between a client’s suggested location and their actual location using a device’s unique identifiers like International Mobile Equipment Identity (IMEI) or MAC address and track IP addresses based on geolocation databases.

AML software can identify such unusual sign-ins and generate notifications of such device or IP address mismatch, enabling the compliance team of the regulated entities in taking up further investigation.

Simultaneous Login from Different Locations Alert

It is not unusual for a client to log in from different locations, such as their workplace and its branch offices or from the comfort of their home or while on vacation. However, it is highly unusual if a single customer account is attempted to log in or is logged in successfully, not just from one of the usual locations but logged in simultaneously from different locations. Such an event might be indicative of involvement in illegal activities leading to money laundering, terrorism financing or proliferation financing.

Unified AML software can be calibrated to generate notifications of such seemingly suspicious login attempts, enabling the regulated entities to file a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) in a timely manner through the goAML portal.

Suspicious VPN or Proxy Usage Alert

The transaction monitoring software can verify IP addresses against known proxy or VPN services with the help of specialised tools and libraries designed to detect proxies and VPNs.

Money launderers and criminals resort to the use of VPNs or proxies to hide their real location to facilitate transactions to and from jurisdictions that are usually on sanctions watchlists or to simply mask their exact location and whereabouts to prevent being detected by authorities. Unified AML solutions that can detect the use of VPNs and proxies should ideally be used by the regulated entities as notifications of the use of VPN, anonymiser services (for crypto or virtual asset transactions), or proxy by any customer can be received immediately for further investigative and reporting purposes.

High-Frequency Login Attempts Alert

If a customer attempts to login more frequently than their usual pattern, it is a behavioural red flag, irrespective of whether the transaction is occurring with every login. AML software can be configured to generate alerts when high-frequency login attempts are made. This enables the AML compliance team to look into the business relationship and take necessary steps if required.

Dormant Account Access Alert

The sudden use, re-activation, or login of a dormant customer account is a critical ML/PF/TF red flag that can be detected through transaction monitoring. There could be a possibility that the real user of such a dormant account was an elderly person who is now deceased and the dormant account was reactivated by some criminals who attempted identity theft to carry out transfer of funds through such account. Sudden re-activation of dormant accounts is a type of unusual sign-in and customer behaviour and alert of such dormant account access enables regulated entities to implement necessary AML controls.

Access from High-Risk Jurisdiction Alert

If and when a customer attempts to login or transact through their account from a high-risk country, this event might require the following:

Regulatory Reporting
Enhanced Due Diligence
Further Investigation, or
Termination of Business Relationships with such customers in some cases.

High-risk jurisdiction alerts from AML software would facilitate regulated entities in performing their AML compliance requirements in a better manner.

Conclusion

During the ongoing monitoring process, unusual spikes in transactions or client activity in a dormant or low-activity account or suspicious activities such as round tripping of funds or multiple login attempts can be a concerning sign.

AML software depends on pattern recognition models and can be integrated with other systems, such as customer relationship management (CRM) systems or fraud prevention tools, to generate a combined analysis of any suspicious account activity. Regulated entities can refer to our blog Best Practices for Customising AML Software Notifications to adopt a risk-based approach towards tailoring the use of AML software for their specific business needs.

Check out our Case Study on: Implementing Cutting-Edge AML Software in the DNFBP Sector to form a better understanding of role of AML software in AML compliance.

Rules-Based vs Machine Learning Models in Transaction Monitoring Systems

The fundamental difference between Rules-Based and Machine Learning Models for conducting Transaction Monitoring is that a rules based monitoring system relies on pre-defined criteria and thresholds, whereas a machine learning-based transaction monitoring system relies on the tool’s ability to proactively identify, decipher, and analyse data fed into the system.

The Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) laws and regulations require businesses to implement a transaction monitoring system which scans every single transaction for whether there is any evidence for potential engagement in Money Laundering (ML), Terrorism Financing (TF), or Proliferation Financing (PF). With advancements in technology, businesses now have the option to choose between rule-based monitoring and machine-learning models for their transaction monitoring processes. Let’s understand the meaning, pros, and cons of these approaches.

Rule-Based Monitoring

A rules-based monitoring system operates on predefined criteria and thresholds established by regulatory guidelines and internal AML policies. The transaction monitoring system functions with a straightforward approach to compliance. Here are some pros and cons of rule-based transaction monitoring:

Pros of Rule-Based Monitoring

A rule-based transaction monitoring system flags and alerts on every transaction exceeding the set threshold, ensuring no significant activity is overlooked. It monitors and alerts on every transaction frequency inconsistent with parameters set for customer profile type, highlighting any anomalies. Further, a rule-based monitoring software Identifies and alerts on every transaction routed to or through blacklisted or grey-listed jurisdictions, enhancing compliance for businesses.
A rule-based transaction monitoring software helps achieve 100% compliance and accuracy for regulatory reporting requirements, thereby reducing legal risks.
In the case of rule-based transaction monitoring tools, rules can be tweaked and fine-tuned by manual adjustments, allowing businesses to respond to evolving risks. Further, it employs straightforward implementation without requiring complex data and workflow management, making it easy for staff to use. It is based on clear and transparent rules, providing accountability and clarity in monitoring processes.
A rule-based transaction monitoring system has proven effective for standard scenarios, ensuring reliability. It facilitates quick detection of straightforward violations, reducing the financial risk associated with fines and penalties due to non-compliance and fraudulent activities.

Cons of Rule-Based Monitoring

Rules-based transaction monitoring needs to be manually updated every single time when needed, which can be resource-intensive.
A rule-based monitoring system primarily identifies issues after they occur, making it reactive in nature, which may allow suspicious activity to go unnoticed initially.
With rule-based transaction monitoring software, rules can be reverse-engineered, which can be exploited by those seeking to evade detection.
Rules-based monitoring systems may inadvertently reflect biases present in the rule-setting process.
Rules-based systems tend to generate numerous false alerts, leading to resource strain and potential desensitisation.
Rules-based transaction monitoring systems have limited ability to adapt to emerging and sophisticated patterns of suspicious activities, leaving the business open to financial crime threats, including ML, FT, and PF.
Rules-based transaction monitoring software is rigid and may miss hidden risks due to a fixed rule structure, which makes compliance ineffective.

Transaction Monitoring through Machine Learning Model

A machine learning-based transaction monitoring system with advanced analytics can be leveraged as part of AML compliance technology. Let’s discuss the pros and cons of transaction monitoring, which utilises a machine learning model.

Pros of Transaction Monitoring through Machine Learning Model

Machine Learning-based transaction monitoring systems come with features like proactive identification that can decipher hidden behavioural patterns and complex and interdependent data, allowing for earlier detection of suspicious activities.
Machine Learning-based transaction monitoring software supports automatic re-tuning and fine-tuning of historical data, resulting in improved accuracy and efficiency over time.
Machine learning-based transaction monitoring software is massively scalable to handle increasing transaction volumes and complexities. Further, it requires minimal human intervention, saving time and costs.
Machine learning-based models can obscure the decision-making process and are difficult to reverse engineer, which enhances the security and privacy features.
Machine learning-based transaction monitoring tools are capable of learning from historical data and picking out algorithms, reducing the incidence of false positives.

Cons of Transaction Monitoring through Machine Learning Model

Machine Learning models require extensive and high-quality training data points to devise a decision-making system and function effectively.
Implementing and maintaining models necessitates skilled experts, which can be expensive and costly for businesses.
The setup and ongoing management of machine learning models are complex to implement and require significant technical expertise.
Machine learning-based transaction monitoring systems often lack clear transparency and explainability, which can complicate regulatory compliance and stakeholder trust.
Machine learning-based transaction monitoring software is resource-intensive regarding computing power, and costs can be prohibitive.
Regulatory and compliance concerns about machine learning-based model validation and effectiveness can be challenging.

Conclusion

Identification and verification are significant in AML laws and regulations. Leveraging identity verification APIs for AML compliance is a strategic move that can help DNFBPs implement effective identification and verification processes and make informed compliance decisions.

Unlocking the benefits of ID Verification APIs for AML Compliance

Identification and verification of customers, partners, and employees are key compliance requirements of Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) regulatory framework, aiming to reduce money laundering (ML), financing of terrorism (FT), and proliferation financing risks and other financial crimes. Designated Non-Financial Businesses and Professionals (DNFBPs) should employ the ID verification Application Programming Interfaces (API) to enable automated and efficient ID verification processes.

ID verification APIs streamline the process, providing efficient solutions that, along with meeting compliance standards, drive operational effectiveness. In this infographic, we will explore the key benefits of relying on these identity verification APIs, emphasising how they can transform the business operations for DNFBPs.

The following are some benefits of relying on identity verification APIs:

Lower Operational Costs

Implementing ID verification APIs reduces operational costs by minimising the need for extensive manpower and resources required for manual verification. APIs automated verification process shifts the team focus from the extensive identification and verification process to higher-value tasks, contributing to a leaner operational model.

Lower Infrastructure Costs

ID verification APIs leverage cloud-based solutions, which eliminate the need for extensive on-premises systems, including hardware and software for identification and verification processes. This helps DNFBPs to shift their reliance on the substantial physical infrastructure required, reducing the investment in infrastructure, space, and maintenance costs attached to physical infrastructure.

Lower Compliance Costs

DNFBPs are mandated to undertake Know Your Customer (KYC) as their compliance requirement, which can be resource-intensive when implemented in traditional and manual ways. ID verification APIs simplify processes, provide ready-to-use solutions, and provide on-time service which meets regulatory requirements. This leads to ease of compliance, thereby reducing the costs associated with penalties, fines, and audit expenses.

Lower Fraud Rate

With capabilities to authenticate users using advanced biometric solutions and document scanning in real time, ID verification APIs reduce the chances of fraudulent activities and the significant risks posed by such frauds to businesses. APIs verify identities promptly and accurately, helping DNFBPs protect themselves and their customers from fraud and potential financial losses.

Lower Customer Abandonment Rate

Traditional verification processes are known for their cumbersome verification process that leads to customer frustration and abandonment. ID verification APIs are known for their streamlined processes that enable quick and seamless identity checks, removing cumbersome processes for customers. With such enhanced processes, customers are satisfied and are more likely to retain and continue with business.

Enhanced KYC/AML Compliance

KYC is a key requirement of AML compliance. ID verification APIs provide automated solutions that help DNFBPs collect necessary data and verify their identities. Such an approach facilitates smooth customer due diligence and monitoring processes and enhances compliance requirements for DNFBPs.

Real-Time Verification

ID verification APIs facilitate real-time checks, allowing DNFBPs to make prompt decisions. Such real-time checks benefit DNFBPs by enabling timely verification that enhances customer experience and offers an instant reporting system.

Scalability and Flexibility

ID verification APIs offer scalability and flexibility, allowing DNFBPs to easily adjust their verification processes to accommodate changing volumes and types of transactions. This adaptability ensures that DNFBPs remain compliant and efficient with their growth or market fluctuations.

Data Security and Privacy Compliance

With data security and privacy concerns, ID verification APIs are designed with compliance in mind. These APIs ensure that sensitive information is handled securely, adhering to data protection laws and regulations. With a focus on data protection, ID verification APIs help DNFBPs build trust with customers, as they know their information is safe.

Audit Trail and Reporting

DNFBPS need to maintain a clear audit trail as part of its AML compliance requirements and risk management. APIs provide detailed logs and maintain track of verification and outcome of such processes. With such features, DNFBPs can facilitate easy audit processes and proactively report any suspicious activities, ensuring accountability.

Reduced Risks of Fines and Penalties

With advanced capabilities, ID verification APIs help enhance compliance processes, which reduce the risk of fines and penalties associated with non-compliance. This protects DNFBPs financially, enhances their operational efficiency, and safeguards their reputation.

Conclusion

Identification and verification are significant in AML laws and regulations. Leveraging identity verification APIs for AML compliance is a strategic move that can help DNFBPs implement effective identification and verification processes and make informed compliance decisions.

Must-Have features in an Identity Verification API

Conducting Customer Due Diligence (CDD) is an important part of anti-money laundering (AML), countering the financing of terrorism (CFT) and countering proliferation financing (CPF) compliance obligations for Regulated Entities, including Designated Non-Financial Businesses and Professions (DNFBPs) in the UAE. Know Your Customer (KYC) process is integral to CDD. KYC identifies and verifies the identity of customers through authentic government-issued identity documents. Here is the infographic providing insights into the must-have features in the identity verification API.

ID verification Application Programming Interface (API) software facilitates the digital conducting of the KYC process. DNFBPs can adopt ID Verification APIs to streamline their CDD compliance. This infographic lists the features that ID verification APIs must have for them to be effective. The aim is to assist businesses in making an informed decision as to which ID verification API is suitable for them.

Ease of embedding into existing customer onboarding workflow:

ID verification API should seamlessly integrate into the existing customer onboarding workflow of the DNFBP.

Ability to capture key identifier details through OCR and extract ID information:

ID verification API should be able to leverage Optical Character Recognition (OCR) technology to successfully extract information from IDs. OCR technology enables the conversion of images into text, making it editable and searchable. OCR technology facilitates a quick verification process by converting scanned documents into readable data that can be used for the verification process.

Ability to verify the authenticity of captured documents:

ID Verification API should be integrated with effective verification methods to check the authenticity of government IDs such as the Emirates ID (EID).

Ability to validate information provided across the documents:

ID verification APIs should be able to validate information across multiple types of ID documents. For example, it should be able to validate information from passport, driver’s license number, Emirate ID number (EID), trade license, certificate of incorporation, etc.

Ability to provide different options for integration:

These include options such as:

Direct integration with existing systems: This involves directly embedding the ID verification API into DNFBP’s AML software
Integration through core providers: This involves integration through core service providers that have in-built ID verification options
Integration through third parties: This involves using third-party platforms or tools for integration of ID verification API.

Ability to provide unified client onboarding and self-service solution:

ID verification API that offers both client onboarding and self-service options can make the customer onboarding journey swift and seamless.

Provide real-time support:

ID verification API provider should provide real-time support for addressing any issues that the DNFBPs may face.

Provide tutorials and user manual:

ID verification API provider should provide tutorials and user manual to DNFBPs to help them understand the API’s features.

Provide usage tier-based pricing:

Tiered pricing based on usage allows DNFBPs to select a plan that suits their size of business operations and AML/CFT/CPF compliance needs, ensuring cost-effectiveness for the DNFBPs.

Support white labelling:

ID verification software should allow white labelling for DNFBPs, enabling them to brand the identity verification solution as their own for a seamless customer experience.

Should ideally be ISO certified and GDPR compliant:

This ensures that the ID verification API meets international standards and quality benchmarks.

Conclusion

Ensuring that the ID verification API is aligned with the above-mentioned must-haves will help DNFBPs invest in the right AML technology, which effectively facilitates their AML/CFT/CFP compliance.

Best Practices for Customising AML Software Notifications

Anti-money laundering (AML) software is a strategic tool that helps businesses meet their AML compliance obligations effectively. An important feature of AML software is its notification system. Notifications alerts businesses to potential money laundering (ML), terrorism financing (TF) or proliferation financing (PF) risks, pending tasks approaching deadlines, action required on incomplete tasks, etc. Customising these notifications improves the efficiency of the AML software. This infographic lists best practices for customising AML software notifications.

Dos of Customising Notifications of your AML Software

Prioritise Relevance:

Priority should be given to notifications that alert users about high-risk transactions or activities that indicates ML, TF or PF risks. On the other hand, tasks which are routine can be given low priority. For example, a perfect sanctions screening match found should be considered high priority task that needs immediate attention while potential matches can be assigned medium priority.

Align Notifications with Risk Profiles:

Businesses conduct Customer Risk Assessment (CRA) as part of their AML program and create risk profiles for customers. Customising notifications to reflect these profiles, ensures that ML, TF and PF risks associated with high-risk customers are closely monitored and addressed.

Use Clear and Actionable Language:

Notifications should be framed in clear and actionable language. It should communicate to the user the nature of the alert and the action that needs to be taken by the user.

Test and Validate:

Before adopting customised notifications, businesses should test and validate the system to make sure that it functions properly. Any issues identified during this testing phase should be addressed to make the notifications system robust.

Segment notification according to user decision-making capability and workflow:

Notifications should be segmented and customised according to the role and decision-making capability of the users involved in the AML program of the business. For example, a Money Laundering Reporting Officer is in charge of making decisions regarding suspicious activities and reporting through the goAML portal.

Therefore, the MLRO should receive relevant notifications regarding any suspicious activity that necessitates the filing of Suspicious Activity Reports or Suspicious Transaction Reports. On the other hand, frontline staff do not have such a role, and therefore they need not be sent such notifications. However, such suspicious behaviour and customer activities must be listed as red flags, and they should be included in the AML/CFT training.

Automate Escalations:

Automating escalations can help ensure that important alerts are prioritised and not missed. AML software should automatically escalate priority notifications to make sure that action is taken to resolve the notifications on time.

Set Time-Based Thresholds:

Notifications should be set to ensure that any deadlines or periodic tasks related to AML compliance are not missed. Time-based thresholds should also be set to detect and alert the users of any activities or transactions conducted after normal business hours that may indicate MT, TF of PF risks, or require immediate attention.

Set Real-Time Notifications for Critical Alerts:

For high-risk issues, real-time notifications should be in place. For example, a high-risk situation such as a name match in sanctions screening requires immediate action including filing Fund Freeze Report. Real time alerts enable quick decisions to be taken on these issues.

Consider jurisdictional requirements:

AML regulations are different for different jurisdictions. Customising notifications to comply with jurisdictional AML regulatory obligations ensures effective AML compliance.

Regularly Review and Adjust Settings:

The system of notifications should be reviewed on a regular basis to ensure its effectiveness. Any gaps found should be filled through appropriate change in settings. Feedback from the users should also be taken and incorporated into the notification system.

Don'ts of Customising Notifications of your AML Software

Don’t ignore user preferences and capabilities:

Notifications should be customised to the user role in the AML program of a business, ignoring this leads to confusion and ignoring of tasks due to excessive notifications.

Don’t configure alerts too close or too distant from upcoming document expiry:

Setting alert too close to an upcoming document expiry can create panic among users, while alerts set too distant from the deadline may be ignored. Adequate time should be allotted to ensure that users can work on the tasks effectively.

Don’t create ambiguity about accountability by notifying all users at the same time:

Notifications should be role specific. If all users are notified about all tasks, this will result in confusion and ignoring of tasks leading to mismanagement of AML compliance without any accountability with respect to successful completion of tasks.

Don’t Neglect Ongoing Adjustments:

Notifications should be re-customised whenever there is change in AML compliance obligations, business operations, products and services, etc. For example, if the time period for record-keeping requirements under AML law changes, notifications for time thresholds should be changed accordingly.

Don’t Use Generic Notifications:

Tailoring notifications to the needs of the user ensures that the alerts are properly addressed.

Don’t Ignore False Positives:

Every false positive should be reviewed and fine-tuning of the AML software should be done to minimise the future possibility of such false positives. This ensures that genuine alerts are not missed.

Don’t Forget to Train Your Team:

The users of the AML software, that is, the staff of the business involved in AML compliance should be trained to understand the working of the AML software and its notifications system. This enables them to perform their role in AML compliance effectively.

Don’t Overload Users with Excessive Alerts:

Numerous notifications can confuse the users as to their role in resolving the notification and lead to important alerts being missed or ignored.

Conclusion

Customising AML software notifications is important for improving the usability of AML software and ensuring comprehensive AML compliance. By adopting the dos and don’ts discussed in the infographic, businesses can customise their notifications effectively and prevent the missing of any ML, TF, or PF threats.

The Regulatory and Technological Challenges of Perpetual KYC