Background
The anti-money laundering (AML) EU policy imposes a number of compliance obligations on financial institutions, in particular due diligence regarding the identity of the customer and reporting obligations requiring these obliged entities to assess the risk of money laundering linked with concrete clients and concrete transactions.
The initial approach introduced in the 1990s with the first AML Directive was rule-based and left little space for banks’ own approaches, it was a rather “tick-the-box” job. For instance, if the characteristics of a financial transaction met the conditions specified in the rule, the financial institution was in principle obliged to report the transaction to law enforcement. This approach gave certainty to the financial institutions and the duties were relatively easy to comply with, as the assessment was largely formal. However, this approach resulted in reporting relatively few transactions that qualified as money laundering and significant overreporting of useless information. It was predictable, therefore, easy to circumvent by agile money-launderers.
In order to challenge the shortcomings of that approach, the 3rd AML Directive introduced a new risk-based approach which is now reinforced by the 4th and the 5th AML Directives. The risk assessment is conducted in concreto according to a list of criteria (defined by the European Supervisory Authorities). The obliged entities must design an AML model which prevents the use of financial structures for money laundering. Financial institutions (and other obliged entities) should adopt a risk management process to identify and manage money laundering risks in a flexible and less predictable way. In this model, the obliged entities are co-regulators and co-enforcers: the legislator delegates to the obliged entities both the design and the implementation of a model of AML control.
That approach puts a heavier burden – organisational, financial and linked with the risk of sanctions – on financial institutions. One of the main ways for financial institutions to deal with it is through automatisation of the due diligence process (Robotic Process Automation, RPA), which has several advantages, such as: cost limitation, increased effectiveness, elimination of monotonous work so that employees can focus on high value tasks; but it also presents challenges, such as lack of transparency and even more cumbersome possibilities of review for a customer considered suspicious. It is that process that this project aims at studying from the technological and legal point of view and contributing to its improvement.
Objectives
The overall objective is to understand and contribute to the development of machine learning tools for AML compliance, while examining the legal implications of the use of these tools, critically analysing the existing legal framework.
More concretely, this project would aim at achieving the following objectives:
One of the main tasks of the entities obliged to perform the AML due diligence is identifying the beneficial owner and taking reasonable measures to verify that person’s identity (Directive 2015/849 consolidated with the Directive 2018/843, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, Article 13). The O1 of this project is to propose a methodology that first collects open access data from European business and beneficial owners registers, and second analyses complex relationships between them to identify anomalies and fraudulent constructs.
Another main goals of the entities obliged to perform the AML due diligence is “conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.” (Directive 2015/849 consolidated with the Directive 2018/843, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, Article 13) The O2 of this project is to investigate the design of an AI tool that would be fulfilling that task.
In exercising their delegated competence of risk assessment, the decisions taken by financial institutions may have a detrimental effect on third parties who might be hindered in their financial transactions due to being categorised (potentially unduly) as risky. An incorrect assessment of the risks of AML can deprive clients of business opportunity. Financial institutions play here a public role in enforcing a policy and co-designing its rules by designing the risk management process. However, contrary to the public authorities, they are not subject to the same standard of scrutiny and accountability, while being potentially subject to sanctions for non-compliance. This means they might be willing to over-enforce in order to limit the risk of penalties. The objective of this project is to understand what the level of automation is already used by the financial sector in Luxembourg for AML compliance and how it is placed within the set of legal obligations of the respective entities. In particular, we would examine the legal implication of the use of automation for the AML compliance process from the perspective of the legal challenges for affected persons as well as possibilities of legal remedies for those persons.
Finally, combining the results of O1-O3, we would examine how the design of tools described in O1 and O2, could address the challenges identified in O3.
Project Outputs
Publications
Jafarnejad S., Robinet F., Frank R., “A Risk-Based AML Framework: Finding Associates Through Ultimate Beneficial Owners”, IEEE, 2024, online https://orbilu.uni.lu/handle/10993/62067 (retrieved on 21 January 2025), DOI:10.1109/CIFEr62890.2024.10772816.
S. Tosza, Enforcement of international sanctions as the third pillar of the anti-money laundering framework. An unannounced effect of the AML reform and the Sanctions Directive, New Journal of European Criminal Law (2024).
S. Tosza, O. Voordeckers, An anti-money laundering authority for the European Union: a new center of gravity in AML enforcement, Era Forum (2024)
More publications are currently under peer-review process.
Conference
Friday 31 JanuaryConferences, Free of charge, In-person eventAutomating anti-money laundering compliance: technical opportunities and legal challenges
Learn more