AMLCFT: Fuzziness & Why it Matters in Name Screening
Did you also know that there are more than 80 different spelling variations for the first name Aaliyah? People spell the same names differently around the world for many reasons. Sometimes within a single country itself there can be a heavy debate on the 'correct' spelling of a person's name. Phillip vs Philip, Jeffrey vs Geoffrey, Makayla vs Michaela, Steven or Stephen. Are these the same name or entirely different names? We haven't even gotten started on spelling variations from translating names from non-roman character sets common in Asia and the Middle East.
While this would be a fun topic if we were discussing baby names, this article is unfortunately about name screening for the prevention of money laundering and the terrorism financing (AMLCFT). The thing about watchlists published by various governments and anti-terror organizations is that very often they are not based on records with the one 'correct spelling' of the suspected crime-lord's name. The problem is further exacerbated by the fact that when it's time to screen your customer, you're probably basing it off an identity document which could contain any number of variations in the way their name has been spelt. So how do you find a match?
To prevent your organization from getting into a prickly situation with this name matching conundrum, enter the concept of Fuzzy Logic.
What exactly is Fuzzy Logic?
Fuzzy Logic is a buzzword you'd likely have seen stamped on the side of almost every electronic appliance manufactured in the 1990s. What it really is though, is a mathematical way of making a computer system do exactly what your human brain does naturally - seeing a range of possible outcomes instead of seeing things as either just true or false (or more accurately 1's and 0's). Now the reason why this is useful is that in AMLCFT screening situations, the data you work with is seldom (if ever) perfect. Consider all the reasons why you would be working with data that is flawed:
Data that has been subject to human error - like manual entries of names, dates of birth, and nationalities at passport or border control.
Data that has been subject to manipulation - insertion of small changes in the spelling or layout of people's names to conceal their true identity.
What is for certain is your obligation towards designing a system that does it's absolute best at finding potentially high risk transactions and ensuring that they are reviewed to ascertain it's actual level of risk before letting them proceed.
What goes wrong when you don't use it?
The absolute worst case scenario would be allowing an actual terrorist or sanctioned party to make a financial transaction on your platform that violates one of the mandates set by your regulator. There are of course situations which would be completely out of your control but not having an adequate screening system in place is definitely not one of them.
A somewhat milder scenario, although similarly detrimental to your compliance and risk management standing would be missing out on performing required enhanced due diligence on a Politically Exposed Person (PEP), as even though they are unlikely to perform any criminal or illegal transactions, you have already fallen short on of the required standard just because of who the customer is (rather than what transactions they've done on your platform).
In both situations, there will be the requirement to remediate your database of users, which will cost you time and money. And not just the one case in question, but such a failure will likely call into question the capabilities of your entire screening program and a mass remediation program would be required. This is of course in addition to potentially heavy fines for facilitating the transaction itself which we've written about at length in our article about critical mistakes that put your business at risk.
Sounds like a good idea to implement then, any drawbacks though?
Unfortunately no process or tool comes without drawbacks and using fuzzy logic isn't immune to this either. Not using exact matches introduces false positives into the mix. False positive review (and manual dismissal) contributes the bulk of day-to-day operations work. Just ask any FinCrime team and they'll tell you that most of their day is spent trying to prove that this flagged person isn't a match to the sanctions watchlist rather than the other way around. That being said, for the foreseeable future at least, it's a necessary evil given the risk of missing out on a genuine screening match is far too great.
Solutions have begun to enter the market which will allow feedback from your team to be keyed in on a case by case basis. This, in turn, strengthens the AI models of the underlying tool making future results more accurate. With enough technical expertise you could probably build such a machine learning model yourself, but for most organizations it would make more sense to pick one of the many off-the-shelf name screening solutions that provide some form of Fuzzy Logic configurability.
Is there a 'right' amount of fuzziness to use?
As with all things in life, there isn't one right answer. That being said, it's an industry norm to run between 10-20% as a start point, and then adjust according to the unique circumstances of your application. Go for a greater fuzziness percentage, the less you trust your inputs. Some of these considerations include:
Are the names you are screening user-populated (prone to error, commission or embellishment)
Are the names coming off a verified database (a government website, or error corrected by your own staff after comparing against original identity documentation).
Do you offer flexibility in how customers choose to have their names stored? (eg. Shortening Nicholas to Nick)
Do you have honorifics and salutations (Sir, Ms, Mr), patronymic suffixes (bin/binti/anak), and legal forms (Sdn Bhd/Pty Ltd) stripped from your search strings?
The most sound advice is to not use a single data point, but instead use multiple. We cover this in more detail in our article on Handling False Positives.
So I'll be needing some new expensive tools, then?
The good news is you don't necessarily need brand new expensive tools, however they surely do help reduce complexity and add flexibility in calibrating the standard you want to adhere to.
At bare minimum, you could always use existing tools you have such as Microsoft Excel or a version of Open Office with the installation of an optional fuzzy logic add-on. These are usually available free of charge if you look hard enough in their optional upgrade packs or help forums. Our only word of caution would be not to get suckered in by any Excel lookup functionality with "Exact Match:Yes/No" options as these refer to a completely different type of search functionality that has nothing to do with fuzziness.
If setting all this up yourself seems a little unwieldy or outlandish, know that you're not alone. Thousands of firms in the payments and money transfer industry face the same issue daily. Contact us today for a no-obligation discussion on your current business model and screening needs and how we can help set your teams and tools up for success.