Payment services were long offered to companies and individuals by banks, but in the last 20 years, dedicated and specialized providers greatly expanded the market. In 2020, global payments revenues reached $1.9 trillion.1 Digital payments mechanisms include credit and debit cards as well as recent payments innovations, such as digital wallets. The shift to digital payments is expected to continue.
One unavoidable measure of the booming success of payment services providers (PSPs) is the increased risk of financial crime. Unmanaged, this risk can pose an existential threat for PSPs. Perceived weaknesses in the controls applied by electronic payments platforms will consequently draw the attention of regulators and other market participants. Banks, for example, are increasingly expecting the PSPs that form part of their network to have strong anti-money laundering (AML) and fraud controls in place. Rather than wait for new regulations, PSPs can move proactively, incorporating lessons from banks’ experience while utilizing their own advanced technological skills.
The control mechanisms for managing financial crime risks have implications for the PSPs’ business model, customers and internal operations. The effects are determined by how the controls are set up. No miracle technological solution exists or will soon be developed to resolve these issues. In most cases, banks and PSPs continuously evaluate their internal processes to make them more resilient, better structured and more integrated. The tools, platforms and systems they adopt in this process are simply the enablers. This discussion lays out the key principles for designing a strategy that PSPs can use to their advantage in managing the financial crime risks while preserving and enhancing the PSP customer experience.
Mobilizing Around Managing Financial Crime Risk
As PSPs rethink their approach to managing financial crime, they can apply three core design principles:
- Build a proportionate framework. The control framework should be proportionate to the overall business model. Organizations will have to decide on the risks they are willing to accept versus those that will be outside their risk appetite. For example, some AML and know your customer (KYC) issues relate to an important advantage of the payments business model: the streamlined customer experience, including quick onboarding, verification and transactions.
- Challenge the traditional control environment. PSPs should challenge the efficacy of the control environment and framework of traditional banks. More controls do not necessarily mean better protection from financial crime for PSPs. By identifying this tension, PSPs will be able to think more creatively and actively develop solutions to meet regulatory requirements and to support their customer-experience goals.
- Be continuously proactive toward exposures. PSPs should do more than react to the regulatory requirements and attention from regulators. To respond effectively to their exposures, PSPs will have to anticipate risks and build protections proactively into the design of core services and products. They must also continuously update their approach, swiftly adjusting their regular and ad hoc software releases. For example, to address the changing fraud threat landscape, this strategy ultimately will help PSPs design next-generation mechanisms to counter financial crime.
Managing Financial Crime Risks: Five Core Pillars
The success of digital payments channels has challenged the industry to manage the associated non-financial risks, particularly financial crime risks. PSPs are in a good position to manage these risks effectively, as they can build on the prior experience of banks, adopt the positive lessons and avoid practices that have not worked. In shaping their strategy to fight financial crime, PSPs should consider five core elements, as shown in Graphic 1.
The five core pillars for fighting financial crime outlined in Graphic 1 are designed to capture the inherent strengths of PSPs and build on lessons from the experience of industry participants. Using mainstream and advanced technological capabilities, PSPs are well-positioned to challenge the standard anti-financial crime (AFC) approaches and re-engineer ineffective industry practices. The staged rollout of such a journey begins with a risk assessment and the definition of their appetite before proceeding through the fuller set of actions as follows:
A Tailored Risk Assessment Driving Risk Appetite
A tailored risk assessment of the specific risks emerging from the business model is needed to drive a well-articulated risk appetite. PSPs and other service providers to consumers and merchants need to identify the specific potential risks and build the appropriate internal infrastructure to protect their businesses. Each PSP will have to consider the distinct financial crime risk typologies and scenarios to which their business models are exposed. For example, an e-commerce platform may attract fraudulent merchants that collude with customers to transfer illicit funds. Platforms providing cross-border payments may be used to bypass controls enacted by other institutions. Effective risk identification entails much more than high-level definitions and assessments of risks on a theoretical basis. It should involve detailed, data-driven analyses of the merchant’s role in the payment value chain, the types and segments of customers within their portfolios, their business models and product offerings, and their transaction flows in terms of volumes and types. The analysis can then be used to set the risk appetite and associated tolerance thresholds to monitor on an ongoing basis. All should be continuously captured and updated, with triggers embedded in the controls when divergence from the risk appetite is identified.
Segmented Client Portfolio and Transactional Flows
Segmentation enables more targeted and differentiated risk management measures. The objective of detecting and stopping prohibited transactions and bad actors often comes at a high operational cost. Enterprises do not have enough resources to monitor all transactions and customers equally. The idea behind an appropriate risk-based approach is that PSPs should focus more comprehensively on the small percentage of potentially risky transactions and customers. To do this, institutions will need to develop more nuanced segmentation models based on real-time and up-to-date data to enable targeted detection and a clear ranking of customers and transactions from lowest to highest risk. Such a model would consider not only historical transactional data and static customer records in KYC files but also forward-looking data points and external bad actor data.
Integrated, Streamlined Controls and Activities
PSPs are highly skilled in developing unified infrastructure and integrated teams across risk types such as fraud, AML, sanctions and cyber risk. Their experience has led to quicker decision-making while increasing the effectiveness of the respective controls. PSPs have a less siloed structure in this respect than banks. They can use data from each of these related risk disciplines to inform decision-making across the processes. They should invest in building solutions that can bring together several controls, ideally ensuring that journeys are “compliant by design.” For example, this may involve leveraging fraud detection and AML transaction monitoring data and controls to identify trends suggesting correlations between money laundering and other prohibited activities. It may also involve integrating the various AFC controls that apply to certain product or service offerings to avoid customer friction and enhance overall effectiveness. The approach potentially results in better outcomes, as these risks are inherently linked.
Data-driven, Continuous Risk Management
The use of innovative and existing technologies and data will enable PSPs to roll out continuous and targeted monitoring solutions, the design of which is informed by tailored data analysis rather than expert judgment only. PSPs should aim to design intelligent, automated processes, applying machine learning and analytical approaches where it makes the most sense. These tools can dramatically improve effectiveness, reducing false positive rates and reliance on labor-intensive processes. For example, leading firms are adopting a live, “always-on” model for assessing the risk of customers throughout their life cycle. The analytics-driven approach draws on both dynamic data, such as transaction flows, and static data, such as customer segments and geographical risk rankings, to better risk rate customers. Some firms are developing artificial intelligence (AI) models that learn from the experience of historical investigations to segment and prioritize alerts. Many are also deploying machine learning to drive dynamic optimization of transaction-monitoring scenarios. Utilizing analytics is not only about deploying machine learning and AI; oftentimes, basic, descriptive analyses using customer and transactional data (to understand expected customer behavior, for example) can help experts save time, make better decisions and deploy more targeted controls overall.
Customer-centricity and Transparency
Embedding stronger AFC controls does not necessarily mean that processes should have a negative impact on customer experience
Embedding stronger AFC controls does not necessarily mean that processes should have a negative impact on customer experience. Instead, the controls embedded in the customer’s journey can enhance their experience and trust in the PSP. Onboarding, a critical part of the journey, can be redesigned to improve the customer experience with faster transaction speeds and enhanced ease of interactions via digital channels by using external data and user-friendly interfaces. Even simple ideas—such as providing increased transparency toward customers regarding step-by-step requirements or sharing their progress with them during the onboarding process—will often generate a better experience for customers. The approach closely ties together the business and risk objectives of the organization. Many institutions have moved to a model where the controls related to financial crime are developed hand in hand with new products or the customer’s journey and are deduplicated across risk types. For example, when designing a new product focused on financing, some institutions ensure that documents requested from clients are shared in advance. These can be reused to assess or mitigate risks or use cases and are differentiated based on their risk profile. Documents required for certain processes (such as ownership structures, income statements and bank statements for underwriting) can also be used to address financial crime risks by providing a clear view on ownership structures and sources of funds. Ensuring a holistic view of controls and creating transparency to customers regarding the requirements and their purpose is paramount to ensuring a smooth customer experience.
Key Considerations and Lessons for a Sustainable Operating Model
As PSPs develop their approach to managing financial crime risk, they can incorporate seven key lessons from the industry’s past to avoid wasting resources on ineffective approaches:
The tremendous and continuing success of digital-
payment channels and the business models of payment service providers coincided with the rise of financial crime and is, therefore, drawing regulatory attention
- Embed controls within processes and decisions: Many PSPs are often starting with a clean slate and possess significant relevant advanced technological expertise. They are therefore well-positioned to plan compliant-by-design processes with limited data or system constraints.
- Design controls proportionate to the business model: The increased cost and focus on controls is often a direct function of the business model selected. For instance, in the case of PSPs seeking to serve high-risk sectors such as crypto or digital asset platforms, investing in more effective and efficient controls and frameworks is a prerequisite to serving the parts of the market that are at higher risk.
- Think ahead and focus on data: Define data requirements early and begin standardizing and capturing that data. By drawing lessons from data gathered from control activities such as onboarding and ongoing due diligence (e.g., on geographies and sectors served by merchants) and then incorporating these into business decision-making and product offerings, PSPs could make their products and services better and improve the customer experience.
- Always build a business case: Infrastructure investments should be supported by a clear business case to avoid expensive solutions that are only marginally effective.
- Plan for complexity: Establishing a robust and effective infrastructure for managing financial crime risks is a complex undertaking that should be planned and tracked carefully by the correct dedicated subject-matter experts.
- Extract better value from existing controls: Many AFC controls can be leveraged further. For example, information on business activities and counterparties gathered as part of the onboarding and ongoing due diligence process can provide insights into the client’s activities and can be used to qualitatively assess their environmental, social and governance (ESG) profile and impact. In addition, adverse media screening used to determine the financial crime risk of a particular client can be tuned to focus on ESG-related topics, such as identifying clients with significant exposure to specific industries.
- Consider the unintended benefits of a strong financial crime risk management program: Strong AFC capabilities will help enhance the ESG profile of PSPs.
The tremendous and continuing success of digital-payment channels and the business models of payment service providers coincided with the rise of financial crime and is, therefore, drawing regulatory attention. When PSPs build a response to counter-financial crime, they should anticipate rather than react to the changing regulatory environment, taking advantage of their advanced technical knowledge and the prior experience of banks.
Shreyash Rajdev, associate partner, McKinsey & Company, firstname.lastname@example.org
Vasiliki Stergiou, partner, McKinsey & Company, email@example.com
- Alessio Botta, Philip Bruno and Jeff Galvin, “The 2021 McKinsey Global Payments Report,” McKinsey & Company, 2021, https://www.mckinsey.com/industries/financial-services/our-insights/the-2021-mckinsey-global-payments-report