At the end of 2021, political scientist Esmé Bosma will defend her doctoral dissertation at the University of Amsterdam as part of the FOLLOW project. This five-year long European project has studied the actors in the chain aimed at countering terrorism financing. Bosma researched the role of banks. Her colleagues studied the role of the investigative authority, the Finance Intelligence Unit (FIU), and the (national and international) court cases on this topic.

Bosma: ‘I researched the role of banks as gatekeepers. In particular, the countering of terrorism financing at the human-technological interface. Technology and the underlying data play a crucial role during customer screening (know-your-customer) and transaction monitoring by banks, and in the rise of new public-private partnerships.’

Difficult, if not impossible

Field work at (Dutch and British) banks was an important part of the study, Bosma says. ‘Banks encounter daily dilemmas in their transaction monitoring. They are legally required to detect and report to the FIU any ‘unusual transactions’, i.e. transactions that could point to money laundering or the financing of terrorism. My conclusion is that there is a gap between the regulation and practice. Banks are being given more and more responsibilities. However, in practice it turns out that detecting and preventing terrorism financing in a traditional manner - i.e. by means of rule-based transaction monitoring systems - is very difficult, if not impossible. Furthermore, in the quest for usable indicators, banks quickly face the problem of profiling. Terrorism is often financed with small amounts and can also be financed with legitimate funding sources, such as loans or grants. And as soon as a transaction leaves the bank and sometimes also the country, the bank loses sight of it.’

Bosma: ‘In short: terrorism financing is not being detected via the current systems. But banks are indeed expected to detect and report terrorism financing. Prevention actually depends on other forms of detection, such as informants or other surveillance by police or security  agencies. In other words: banks search their systems for leads on terrorism financing. But without a concrete reason or lead, that is extremely difficult to find.’

Bosma: ‘Another thing I noticed was that in practice it is becoming increasingly complex  to create a customer-risk profile. The growing importance of technology and data in this process gives rise to new dilemmas between commercial and security considerations. After all, banks depend on filtering and monitoring techniques to detect whether a customer is doing something illegal. For the detection of terrorism financing, banks are also increasingly dependent on links with commercial lists and on systems that screen news sources. Can a news report provide enough reason for a bank to screen a customer or stop doing business with them? The use of these kinds of public sources is growing. But the question remains how reliable this information is and what banks should do with it. It is an ethical issue because who decides which customer poses a heightened risk? Because of high compliance costs, growing pressure from regulators and what is referred to as reputational risk, banks are increasingly opting to no longer do business with high-risk customer groups such as (religious and other) foundations, aid organisations, embassies, sex workers and now also – in the Netherlands - parties that spread disinformation. Fortunately, attention for the undesired effects, such as financial exclusion, is also growing at the international level.’

Banks are certainly looking for solutions, Bosma observed: ‘On the one hand, in the form of technological innovation: could artificial intelligence provide solutions? On the other hand, banks search for in the form of intensifying public-private partnerships, like the one with the Dutch Terrorism Financing Taskforce (TF Taskforce). In this context, banks receive customer’s names to enable them to search their systems for signs of terrorism financing before a criminal investigation is taking place.’

Costs and benefits

The compliance costs of the private sector are not proportionate to the yields, is one of Bosma’s conclusions: ‘When I started my research four years ago, a few hundred people were working on this topic at every Dutch major bank. Now that this number has grown to several thousand at each bank, while a public actor like the FIU, which processes reports,  only employs 76 people. These kinds of figures do not say much about the substance of the work, of course. But they do indicate the tremendous growth of the financial crime compliance industry. And although the privacy impact of the current system is enormous, you could say that the yields throughout the chain are still very little, . A Europol report from 2017 indicated that just 10% of reports resulted in further investigation and detection. The percentage of criminal money flows detected is estimated at 1-2%.’

Stop ineffective practices

When asked how the current system could be better balanced, Bosma replied: ‘Firstly: balance the capacity of the public and private actors. If necessary, increase the FIU’s capacity and consider to what extent it makes sense for banks to hire even more people to do this work. It could also be investigated how measures in relation to financial transparency relate to combating financial-economic crime, see for instance  the work of Transparency International and the Tax Justice Network. Finally, I suggest that banks should do work that actually helps to track down crime, and not work that is purely focused on compliance. Deploy a risk-based approach that provides for the acceptance of some residual risk. Public and private actors should work together to determine priorities, figure out what is realistically possible and stop ineffective practices. This prevents that implementation as well as supervision ‘goes overboard’.

Do nothing or do more?

Bosma concludes: ‘You often hear people say: it’s ridiculous that banks have this task. But you also hear them say: banks should be doing much more. The question lies somewhere in between: what can you actually expect from a bank? This is also a political and societal question: what task we relegate to private actors in these kinds of far-reaching security decisions, and under what conditions?’