There is an infamous paradox in probability theory known as the “birthday problem.” The paradox is this: If you are in a room you would need 183 people together with you for there to be a 50 percent chance for one of them to have the same birthday as you; however, you only need 23 people in the room for there to be a 50 percent chance for two people in the room to share the same birthday. Similarly, there is a 99.9 percent chance of this occurring with only 70 individuals in the room.
Consider the risk and compliance name screening functions that ACAMS members perform today, including negative news screening, identification of politically exposed persons (PEPs), and matching other sources of news and data containing names that represent some level of regulatory or operational risk. It does not take a huge stretch of the imagination to posit that these operational functions behave much like a “birthday problem” room, but with a lot more “people” than necessary to achieve that 99.9 percent probability.
A Growing Problem
In order for day-to-day operations to be commercially viable and for profits to be maximized without adjusting prices, exception processing costs—whether it is managing manufacturing defects, product returns, or reviewing potential risk and compliance issues—need to be minimized to the extent possible.
However, it is unclear, to what extent similar “quality control” efforts can be applied to compliance and risk management functions. The “birthday problem” rears its head as the volume of names in regulatory-related and news sources increases. This occurs for a number of reasons:
- Companies expanding the remit of compliance and risk management functions, which can add additional information sources to its functions, or which can expand the time period for which news is considered relevant
- Companies adopting a more risk-averse posture, which may result in potential matches that had been previously excluded automatically, now requiring review
- Regulators raising regulatory expectations, which can result in the need for one or both of the previous two changes to compliance operations, policies and procedures
Of course, names are more diverse than dates of birth. However, when commercial PEP databases are numbered in the hundreds of thousands or millions of records, or when the number of records being screened is exceedingly large, even a strict matching regime can generate an unmanageable set of results.
Quality is Job One
If both the internal data being screened and the risk and compliance data were complete and accurate, matching multiple factors in addition to name, such as birth date and affiliated country (which is not necessarily the country in which one resides) would go a long way to reducing the haystack of potential matches to a manageable level. Unfortunately, despite the best efforts of all involved, data quality issues reduce much of the matching effort to a single factor match against the party’s name.
The completeness and comprehensiveness of the available data in company databases exacerbates match rates. Even if customer data is input from a photo ID, such as a driver’s license, it will not provide all the personal information that a data source used in screening might provide, such as a passport number or nationality. This will likely hamper the ability to differentiate the party from similarly named persons in risk and compliance sources. In turn, those sources may lack the address detail that a personal ID might contain. Even the party's name may be incomplete in the company’s database, depending on how and when that data was collected, as middle names may be omitted or truncated to an initial.
The risk and compliance data that are screened against present similar challenges. It is reasonable (albeit expensive in terms of operational costs) to assume that names in both an organization’s stakeholder data and risk and compliance data sources could be incomplete for a number of innocent reasons.
In fact, internal data is likely to be more complete than risk and compliance data sources. News stories will rarely mention personally identifiable information other than name, nationality and/or city of residence. Similarly, the level of detail about the PEP may be less useful due to the diversity of people classified as PEPs:
- Officials in provincial and local governments are less likely to have made personal details publicly available than those at the federal level
- Details of relatives and close associates of government officials are harder to identify (other than their name and relationship to the official)
What is in a name?
The process and technology involved in matching names further increases the number of returned suspects to review. In order to properly mitigate risk, matching software must not only be capable of potentially matching foreign language translations, spelling variations and full names to initials, but it must also deal with extraneous and missing elements. Not only can a firm’s party information omit middle names that exist in compliance data sources, but it may also contain more detail. While software might be able to ignore a name of Hispanic origin with a single surname matching a Hispanic maternal last name, because of this flexibility, the limitations in matching name elements inherently increases match rates.
The peculiarities of cultural naming conventions also conspires against the compliance professional. In Latin America, the significantly higher concentration of the 100 most popular surnames (triple that of that in the U.S.), coupled with an unusually high concentration of given names, elevates name-only matches to data such as PEP databases and the Office of Foreign Assets Control’s (OFAC) counter narcotics trafficking sanctions listings. In an extreme case, approximately three out of seven people in Vietnam share the surname Nguyen.
Further complicating matters is the fact that, in certain cultures, people do not have surnames. The risk-based decision to permit a perceived “partial” name to match a “complete” name has significant consequences if the additional matches cannot be otherwise eliminated systematically.
Regulatory Burden
Regulatory expectations and actions can also significantly affect the number of alerts that compliance professionals have to manage. Oversight can guide how effective software must be in generating alerts, as well as how conflicts between matching and mismatching data elements are to be managed. Case in point: OFAC’s enforcement action against Wells Fargo for not identifying individuals on the Specially Designated Nationals (SDN) list due to the firm’s systems not being configured to compare the date of birth in the customer record, despite the fact that the clients’ addresses did not match that on the list.
Regulators, in their promulgation of standards, can, and do, drive the relative size of the operational burden:
- The U.S. has not implemented all U.N. terror sanctions designations. This is partly due to the fact that some of the listings lacked sufficient detail to prevent massive numbers of false positive matches that would be impossible to resolve, according to the latest Mutual Evaluation Report produced under the auspices of the Financial Action Task Force.
- OFAC designates certain aliases in its sanctions listings as “weak” with accompanying guidance that firms need not perform primary matching on these names, but should only use them to corroborate other matched information. On the other hand, the Japanese Ministry of Finance, which manages Japan’s sanctions lists, does not make that distinction.
- Regulators can and do extend their domestic definition of who constitutes a PEP. This has led multiple countries, including Mexico, India and Malaysia, to designated provincial legislators as PEPs (and, by extension, their relatives and associates). As noted above, lower-level officials are less likely to have many personal identifying details publicly available. In a similar fashion, candidates for office, grandparents and grandchildren are considered PEPs in parts of Latin America, yet they are less likely to provide actionable personal data for compliance purposes.
Love the sinner, hate the sin?
So, what is a compliance officer or risk management professional to do? How can these professions start to return to their roots as exception processing?
As Clint Eastwood said in Magnum Force, “A man’s got to know his limitations.” Translation: Compliance efforts have to be expended in proportion to both perceived risk and perceived cost.
One way to beat the “birthday problem” is to limit the number of people in the room. When it comes to customer data, this means doing more on higher value relationships, and/or those who use higher risk products, than on lower value ones. Does it matter that a customer is a PEP if all he/she maintains is a credit card with a $2,500 limit?
Even when the population being screened is winnowed, the set of results can be further actively managed by casting a wider matching net for more prominent risks and being more restrictive for less significant ones. This can be done a number of ways:
- The use of inexact matching is probably mandatory for finding sanctions targets, who are known bad actors. But that technology could be configured to match more strictly, if not eschewed completely, for finding PEPs, who are people who are only more likely to commit financial crime.
- Records that match a sanction’s target’s name probably must be reviewed, even if nothing else does. However, negative news that does not also match on some other identifying detail could potentially be skipped.
Some of this variability can also be done by customer risk level or customer value. A customer with a smaller average daily balance could be ignored as a PEP if the PEP is out of office, while one with a larger balance might be considered a PEP for a number of years later. Similarly, a customer with a smaller volume of expected business could be screened against two to three years of negative news, while one with a more significant volume might be screened against five to seven years’ worth.
Are we celebrating yet?
Ultimately, the “birthday problem” is a business problem to solve. The choice is clear: Find some way to control the number of candles on the cake, or be prepared to have additional staff help you blow them out.