Blockchain could be the answer to increasingly tough anti-money laundering (AML) statutes and enterprise fraud management (EFM) requirements looming for the financial services industry.
In a report released this week by Forrester Research, blockchain's distributed ledger technology – because it is both secure and immutable – is ideal for meeting new government requirements and serving as a trusted repository for identification purposes.
"This makes it a trusted repository for providing device ID, known fraudster, transaction and other blacklists used in AML and EFM," Forrester said in the report. "Updating these repositories will no longer be the privilege of AML and EFM vendors only. In addition to these existing vendors, new identity coin and social identity verification vendors and [financial institutions] themselves will be able to update crucial blacklists."
Governments are also considering using blockchain networks to secure sensitive data, but none as of yet have, according to Martha Bennett, a principal analyst at Forrester Research and co-author of the report.
This year, several new regulations will toughen requirements on financial services to ensure customer privacy and secure online and mobile payments. The new laws include the Revised Payment Service Directive (PSD2) and the General Data Protection Regulation (GDPR). Additionally, the Fifth European Union Anti-Money Laundering Directive (5AMLD), which is currently being negotiated, will likely increase oversight of virtual currencies, prepaid cards, information sharing and enhanced customer due diligence.
Starting in May, GDPR will force European banks to rethink how they store, manage, use and disseminate personally identifiable information, according to the report.
"If they wish to partake in blockchain-based AML and EFM device, whitelist, and transactional data sharing, [financial institutions] must adapt their privacy policies and tools to be able to cope with this requirement," Forrester said.
The research firm expects that privacy regulations and disclosures will have to cover blockchain-stored data assets as well.
"GDPR is one key requirement for handling [personally identifiable information] data securely," Andras Cser, a Forrester principal analyst and co-author of the report, said in via email. "Encryption algorithm standardization and strength testing (FIPS, etc.) are also key steps here."
Fraud and money laundering cost billions
Last year, the cost of retail fraud — everything from fraudulent transactions to fraudulent returns — amounted to 1.9% of revenue, up from 1.47% in 2016. With Forrester's estimate of $3.56 trillion in U.S. retail sales in 2017, fraud will cost U.S. merchants almost $68 billion. On top of that, the cost of detecting and preventing money laundering is steep, as are the fines for businesses that fail to do so.
In 2018, for example, Dutch Rabobank was fined $369 million by authorities for handling illicit funds. And last fall, a data breach at consumer credit reporting agency Equifax, resulted in 143 million records being stolen.
Widespread availability of sensitive consumer information on the darknet and synthetic identity fraud – where criminals use stolen data combined with fake information to create credit and bank accounts – has proven traditional know-your-customer verification and knowledge-based authentication is unreliable.
AML and EFM are harder than ever to enforce and need to rely on the most diverse data possible, Forrester said, adding that "verifying identities before allowing them to transact helps avoid fraud losses in a complex payment ecosystem."
That's where blockchain can be useful.
Because it is an immutable, auditable electronic record, blockchain ensures that transaction records contain artifacts and identifiers of previous transactions. "This allows authorized investigators to backtrack transactions on the blockchain more easily than with current AML and EFM systems," Forrester said.
Blockchain implementations will challenge the monopoly of legacy identity verifiers – credit bureaus such as Equifax, Experian, RELX, and TransUnion, as well as watch list providers such as Dow Jones and World-Check – by providing auditable data for anti-money laundering.
Blockchain implementations for AML and EFM aren't expected to begin surfacing for another year to two in North America and for two to three years in other geographies, according to Cser.
Initially, enterprise blockchain networks will likely co-exist alongside more traditional AML and EFM tools, "at least Initially," Cser said.
"The biggest issue is creating the regulatory, privacy and legal framework for [blockchain's] adoption in EFM and AML," Cser said.
Forrester expects that existing and new data provider vendors, as well as banks and financial institutions, will be able to contribute to distributed and controlled blacklists/whitelists and privacy-controlled transaction repository blockchains.
And, because blockchain is built on open-source software such as Ethereum, MultiChain, OpenChain and other iternations, it is less expensive to acquire a platform, while anyone can also view, audit and fix security flaws in blockchain implementations.
Requirements for enterprise fraud management and anti-money laundering are similar in that it's "all about looking for patterns, identifying known bad players, and performing investigations.
"The main difference is that, while AML has traditionally been batch-based and reactive, EFM in the past five years has largely turned proactive," the Forrester report said. "Using real-time data in EFM is now a standard and critical requirement. EFM will use blockchain in risk-based authentication and account takeover detection as well as in back-end transaction (payment) monitoring."