Financial crime and fraud threads

Hey

Recently I’ve noticed an upsurge in threads related to financial crime, fraud, KYC (Know Your Customer) and AML (Anti-Money Laundering). I wanted to share a few things and hopefully put these discussions to rest.

Firstly, I understand there is great interest in this topic. It is something that impacts everybody, and something which people can experience in a very negative way if they are ever defrauded.

As an introduction to how we approach signing up customers and KYC, you can read this blog post. We take financial crime, including the KYC process and our customer’s financial security, very seriously. At the same time, we take the customer experience very seriously and want to ensure that as few people as possible are impacted by our methods of trying to spot and stop financial crime and fraud.

One of the reasons for releasing the blog post above was to try to be as open as we can be about an area of banking that is not often talked about. As well as that blog post, you can also read this one about fighting fraud with machine learning and this one about how we fight financial crime.

A few common themes have been popping up on the forum, and I wanted to address each one in turn:

• For those of you who have experienced blocked cards or declined transactions - we do very occasionally block genuine customers accidentally, and for this we are truly very sorry. The quickest way to get this dealt with is to speak to customer support. Bringing it up on the forum actually slows down the process because your query bounces around between a few teams. Our customer support team are there to help you and are the people who can deal with this quickest.

• For those interested in how our financial crime and fraud prevention systems actually work - please read the blog posts above! We run a series of checks when everyone signs up, we have machine learning engines and rules that look at transactions and behaviours on accounts, and we run a series of ongoing checks and risk assessments (which could include reaching out to you with a few questions). As I am sure you can appreciate, we cannot expand on what those rules are, or what metrics we use in our machine learning engine. If we did then it would be incredibly easy for criminals to attack us.

• For those interested in whether it is possible to open an account with a fake ID - we run checks on IDs to ensure that they are authentic. It should not be possible to signup with a fake ID.

• For those of you who are non-Monzo customers who have been defrauded by Monzo customers - we are truly sorry about that. As mentioned above, we run lots of checks and monitor transactions and behaves continuously. An interesting trend we have seen is that criminals are willing to use their own identities to commit fraud. This makes it hard to spot and stop before it happens. I can assure you that we are compliant with all financial crime regulation and perform necessary checks on all customers. Unfortunately social engineering fraud or advanced fee fraud, or indeed most other types of fraud, are quite common. Stopping this from happening through Monzo accounts is something that the financial crime team are passionate about.

• And for anybody else - whilst we try to be transparent in everything we do at Monzo, there are some things that we just can’t talk about in great depth. As our blog posts hopefully show, we do talk about financial crime as much as we can, and we certainly plan on releasing more blog posts in the future.

Hopefully this will answer a lot of questions. Whilst financial crime is super interesting, I am going to ask that all community members refrain from demanding answers to questions that we just can’t provide. If you have an issue with your account, please do get in touch with customer support through the app.

If you have an concerns about this then please feel free to reach out to me, or another of the moderators.

If you have any specific concerns related to your account, please reach out to us via the app or help@monzo.com

Good read - but can you pop up the links that are implied? Be interested to read those too

Apologies - it appears all the formatting ran amok in a copy-paste

Isn’t this perilously close to security by obscurity?

What if a disgruntled employee divulged it? Would your security collapse?

I don’t think it’s quite that. To me, security through obscurity is when there’s a flaw in the system and it’s hidden rather than fixed (under the assumption if people don’t know about it, they won’t be able to use it).

With a banking situation, a lot of it is going to be about patterns of behaviours, and if you say what patterns you’re looking for then naturally everyone’s going to stop working that way. So you have to look for and identify new patterns - but if you say what they are… well, you see where I’m going.

Short version: if you spot criminals repeatedly doing [action], you don’t want to let them know how you’ve spotted them so you can keep on catching criminals in future.

I would hope that any employee working in this sector would have “Don’t disclose any of these senstive details” as part of their contract, and so the risk of getting sued to buggery would make doing so not worth it. I mean, certainly I’m not aware of there being a flood of disclosures about other banks, who goodness knows have had more than enough years to generate a fair number of disgrunted employees!

Not really, and the divulging of proceedures and limits and rules which related to fraud checks may be prevented if they also relate to money laundering checks

Were you to let a money launderer know you suspected them of that offence or that you were investigating them you would be guilty of an offence of “tipping off”

Ah, yes. I was thinking of in terms of the reason for criminal A’s capture being disclosed so criminal B thinks “I’d better not do that, then”. But if you read my example in terms of it being the same criminal all the way through, you’re quite right.

security by obscurity is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system

Seems to me to apply.

It’s not a main method though, it’s an additional layer of security

Security though obscurity, while frequently demonised, does in fact have a valid place in a layered approach. It should never be the ONLY approach, though.

Think of it in the physical world - a secret base hidden in the jungle helps, but you still want all the high-tech security you can on that base.

In this specific case it’s not about ‘providing security for a system’, though. It’s about catching fraudsters. You’re looking at the situation from the wrong direction, as it were.

In any case, as @anon44204028 points out, AML regulation applies meaning banks often can’t say anything even if they wanted to.

For me, the test for security by obscurity, is ‘if I knew what the security was, could I easily work around it’ and I think this passes that test.

For instance, if the threshold for triggering checks was a transfer of 10k, I could send 9k and not trigger it.

Now obviously this is simplistic for arguments sake, but in principle I think the point stands. The reason banks can’t talk about it is that it is straightforward to defeat if known.

In time, all things are known.

Edit to add: I’m in no way attacking Monzo here, more the ill thought through legislation that so often comes out of nanny or knee jerk politics. There is no way that the people who make a living out of laundering money don’t know all of the thresholds and basic checks used by banks.

There are no above ground secrets any more so all your attempt at hiding in the jungle has done is increased your costs, 'cos bases in jungles stand out like a sore thumb

I would say “yes” - it is security by obscurity to an extent.

However, in this context, it’s not a bad thing for two reasons:

• There’s no real alternative
• We’re not talking about ‘security’ in the context we normally talk about it (i.e. the security of computer systems). “Counter-fraud by obscurity” would be better.

As Hugh said, our fraud systems do detailed analysis. If the inner workings of this system were disclosed in full, it would be possible for someone to circumvent them.

The argument is largely academic because we use lots of black box machine learning methods - from which it is generally not possible to derive a meaningful set of rules that could be disclosed, anyway.

And of course, if you are using truly adaptive and learning systems, they should be able to adapt to the countermeasures employed by the criminals.

Some discussion about it here on this Reddit thread

ROFL @ this comment

Interesting read, the thread speaks for it’s self quite clearly.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.