By Murray Collyer
In January 2025, the global anti-money laundering watchdog, the Financial Action Task Force (FATF), will review its decision to greylist South Africa and interrogate the public and private sector measures to address its concerns.
The country will need to demonstrate a practical, scalable plan to combat money laundering, fraud and other financial crimes. Failing to achieve this will have serious economic knock-on effects, such as a significant decrease in international capital inflows and downgrading by credit rating agencies, all of which will negatively impact the rand.
An extended greylisting is also a serious threat to state-owned enterprises that rely on offshore debt capital markets for funding.
This doesn’t need to be South Africa’s reality. Mauritius successfully met FATF’s criteria and was removed from the grey list in two years. However, this required focused attention and collaboration from the public and private sectors.
Now, South African financial institutions are under the spotlight and the country has just 18 months to demonstrate an effective anti-money laundering (AML) strategy. It is sufficient time to make enough strides to reverse the greylisting, as the technology exists to combat money laundering and financial crime at scale.
Money laundering – banking’s Achilles heel
South Africa’s greylisting spans a wide range of shortcomings, some of which fall within the remit of the public sector. The private sector, however, can make a concerted effort to combat money laundering and financial crime. While some criminal activity occurs using cash or cryptocurrencies, banks remain vulnerable to money laundering, particularly in cross-border transactions.
Currently, only 1% of laundered funds are ever recovered despite the government estimating R35 billion to R143bn is laundered through local financial institutions each year.
The root of online financial crime
To successfully combat money laundering and financial crime, banks need to get to the root cause of how these crimes can go undetected. And this root cause is identity.
If banks want to effectively and reliably counter financial crime, they need to validate one critical piece of information: a person’s identity. Banks need the security that a person performing a transaction on the other side of the screen is who they say they are.
As our lives grow increasingly digital, the ability to counter cybercrime is an urgent consideration. The global police agency Interpol’s Global Crime Trend Report 2022 estimates that over 70% of respondents (all from law enforcement) expect crimes such as ransomware and phishing attacks to increase significantly in the next three to five years. This renders the traditional verification technologies banks favour, such as one-time passwords (OTPs), outdated and a security risk.
Digital security threats to banks
Biometric security threats currently fall into two categories: presentation attacks and digital injection attacks. Presentation attacks refer to photos, videos, or even masks being held up to a screen to fool the technology into mapping the features of the identity being defrauded. On the other hand, digital injection attacks see imagery injected directly into the video stream, either through emulators, hacking tools, or virtual cameras.
This directly injected imagery includes sophisticated “deepfakes” or “face swaps”, where AI technology spoofs another person’s likeness.
iProov, iiDENTIFii’s technology partner, reveals in a new 2023 study that there has been a 149% increase in digital injection attacks and a 295% increase in face swops. With the emergence and growth of face swops, low-skilled criminals now have the means to launch advanced attacks. Threat actors launched motion-based attacks simultaneously and at scale against hundreds of systems globally.
To the untrained eye or technology, face swop synthetic imagery has the characteristics of the genuine individual’s facial traits. The imagery can match their government-issued identification photograph during a liveness verification attempt if the technology is not equipped with the latest defences.
How financial institutions can prepare for 2025
Banks must tackle the challenge head-on to have the robust AML systems and processes required for South Africa’s greylisting review. This needs a clear perspective on the current threats and how to mitigate the resulting risks to banks and customers.
Digital injection attack detection needs fundamentally different techniques from presentation attack detection (PAD). Many current biometric systems are not equipped to defend against this fast-growing threat and financial institutions must find a new way to prove identity to prevent money laundering and cyberattacks. The answer lies in the use of “liveness” in authentication.
Simply put, “liveness” is the confirmation and verification that there is a human being conducting a transaction on the other side of the screen.While cybercriminals can mine personal data and override certain systems through targeted attacks, it is more difficult to forge a sense of human liveness.
Many local banks are addressing the challenge head-on. They are upgrading their systems in response to new digital risks.
It is possible to reverse South Africa’s greylisting in 18 months. Financial institutions need to refine their focus on digital identity, the central factor in performing safe, verifiable, and authenticated transactions.
We call on financial institutions and the government to embed infallible, enterprise-level and sophisticated biometric authentication into the country’s financial services infrastructure. This should not just be a response to our greylisting, but a strategic imperative in an increasingly digitised economic climate where cybersecurity risks abound.
If we can demonstrate an ability to combat threats at a global level, this could instil faith in reluctant overseas investors and local customers alike.
Murray Collyer is the chief operating officer of iiDENTIFii.
BUSINESS REPORT