We spoke to Moody’s global team of industry practice leads to find out more about their conversations with customers, regulators, and industry practitioners, asking what the BIG themes for compliance and third-party risk management (TPRM) were in 2024, and what they felt they might be next year. Here’s some of what they said.
Sanctions evasion, regulation, and transformation
Hera Smith: “In 2024, geopolitical tensions and ensuing sanctions of both specific people and entities has been a dominating theme. The Russia/Ukraine war is now heading for its third anniversary, and there is still much to manage in terms of sanctions screening, monitoring, and evasion tactics. There has been an ongoing crackdown on sanctions evasion and export control violations across Europe, and I don’t see that changing in 2025. There is always the prospect of additional or changing sanctions, so the topic will stay firmly on our customers’ agendas.”
Morgan Holleran: “Sanctions was also a hot topic in the US in 2024. We will see if and how that changes with the new administration. There was attention on both the volume and enforcement of sanctions, and ongoing concern about geopolitics, including situations with Russia as well as countries in the Middle East. There has also been contingency planning, because if there is another event that triggers sanctions, corporations need to understand how that would impact them and their supply chains.”
Francis Marinier: “For financial services customers in Europe, a significant regulatory change related to sanctions was the EU’s new reporting requirement for outgoing transfers involving Russian entities - article 5r and 5g. It’s continuing to shift compliance focus on a risk-based approach, with practitioners looking closely at beneficial ownership and control calculations, rather than simply names on sanctions lists. This ongoing reporting requirement is likely to keep sanctions front of mind next year.”
Chor Teh: “Also in the realms of sanctions, and a product of the ongoing war between Russia and Ukraine, was Russia’s approval of blockchain technology for cross-border payments. This wasn’t necessarily expected, and it emerged quickly. Russia’s move was significant because it allows for faster payment processing, which has the potential to lead to sanctions circumvention. The outcome of this approval is that know your customer (KYC) processes are increasingly being moved ‘on-chain’ i.e. onto to the blockchain, which has presented some challenges for risk and compliance professionals.”
Nicola Passariello: “There has been increasing intensity in the growth of digital finance in recent years, and this dramatic take-up of new technology has, in turn, increased the avenues for perpetrating financial crime, not just sanctions evasion, but fraud more broadly.
“Since the start of 2024, Moody’s has been talking about shell company indicators and the misuse of legal entities to evade sanctions and commit financial crime. It’s this misuse of legal structures that offers opportunities for sanctions evaders and criminals to obfuscate their operations. Understanding if this kind of risk sits within a counterparty network is important to customers, along with understanding who the real beneficial owner of an entity is.”
Enrico Aresu: “Especially in the corporate sector, I’ve noticed an improvement in the sophistication of how organizations of different sizes handle sanctions compliance. Prior to the Russia/Ukraine war, it tended to be more of a ‘checkbox’ exercise. Now, the process is more comprehensive, incorporating aspects such as entity verification and ownership due diligence. However, there is always room for improvement, particularly in areas like IP address screening, which is especially important for global and digital organizations. Therefore, I anticipate a strong focus on this topic continuing into 2025.”
New and bolstered US regulations
Shaquala Swinton: “There has been an increase in regulatory requirements about third-party risk management generally this year. The Office of the Comptroller of the Currency (OCC) and the Fed had a joint initiative in June 2023, essentially about how to streamline and standardize third-party risk management and how that's applied in the US financial system.”
Maurice Crescenzi: “President Biden signed into law the Foreign Extortion Prevention Act (FEPA), which addresses the demand side of bribery and corruption with respect to government officials. FEPA now makes it illegal for a foreign government official to demand a bribe from an employee or third party working on behalf of a US company. Compliance professionals are likely to follow enforcement activity closely.”
Rich Graham: “One compliance trend in the US this year was having new money laundering regulations in areas like real estate and more focus on asset management. Those trends are going to start to impact companies that haven’t previously operated in the same way as other highly regulated businesses do today. However, there is a possibility the new US presidential administration will alter some of these regulations in 2025, so we will watch and wait.”
An ongoing focus on anti-money laundering
Nicola: “In Italy, and Europe more widely, there has been a lot of attention dedicated to the EU’s AML package, which aims to raise standards across member states. The upcoming anti-money laundering authority (AMLA) is going to play a crucial role but the mechanics of direct supervision and its impact on ensuring consistent enforcement are still to be clarified. A key question for next year is how AMLA will contribute to effective verification of sanctions compliance.”
Marisol Lopez-Mellado: “There has been a lot of movement around the European Union’s AML package – regulation, directive, authority. The European Banking Authority is working on the standardization of customer due diligence (CDD); what AMLA will do in terms of best practices; and how this will impact risk management and compliance functions.”
Francis: “The EU is experiencing a convergence of financial crime risks and therefore has a focus on combating organized crime, carousel fraud, tax crimes, sanctions circumvention, human trafficking and environmental crimes, and other predicate offenses to money laundering. There’s dedication to improving data quality to make faster, better-informed decisions in near real time about these risks. Information sharing amongst obligated entities and regulators, registers, financial intelligence units (FIUs) and data providers is key to developing transparency in the fight against financial crime. Engaging in the industry throughout 2024, it is evident Financial Crime Specialists need to continue to work closely with Master Data Management and analytics specialists to apply key principles and consider which data points are available as a golden source to help supply controls throughout customer and third-party lifecycle of risk management.”
Enrico: “Companies are investing more in KYC, AML, due diligence, and so on, but it’s not something they can change overnight. Many conversations are about finding the right balance between immediate improvements and gaps that can be bridged and addressed over time to control and manage risk. It’s a journey, not a destination, so many of the themes discussed in 2024 will continue into next year and the years to come.”
Choon Hong Chua: “Following a series of high-profile money laundering cases in Asia, regulators in the region are implementing stronger regulatory controls to combat money laundering and terrorist financing. This includes extending compliance obligations to higher-risk businesses and services ancillary to the financial industry – see Australia’s AML/CTF Amendment Bill that passed in November 2024. Though affected entities can expect an initial increase in compliance reporting load, tighter regulations can provide additional guardrails for banks when conducting due diligence and improve the effectiveness of AML/CTF efforts.”
Mohamed Daoud: “In 2024, numerous countries intensified their efforts to remove themselves from the Financial Action Task Force (FATF)’s grey list, understanding the profound reputational and economic consequences associated with the designation. In the Middle East, Türkiye and the United Arab Emirates successfully moved off the grey list by undertaking comprehensive legislative reforms and implementing stringent new compliance policies. The concerted push against financial crime and money laundering is expected to yield substantial long-term benefits for both economies, paving the way for improved trust in the financial system.”
Rich: “The FBI will release its Internet Crime Complaint Center (IC3) statistics in January 2025, and I expect they will show fraud has increased. Scams aren’t going away, but they’re going to get more difficult to pull off as companies continue to address the problem of fraud. The IC3 report is only as good as the data reported, so even if some figures are not reported, fraud losses will likely increase.”
Sanctions changes – preparing to be prepared
Choon: “Given the current sanctions environment, foreign financial institutions are likely to face increased secondary sanctions risk. Companies need to implement yet more robust sanctions compliance controls and respond to changing policies with agility.”
Nicola: “Sanctions will continue, of course, but they are driven by geopolitics and conflicts, and these can be hard to predict. There are likely to be more targeted sanctions – regional and thematic – and more enforcement actions next year.”
Hera: “A sanctions crisis management team is likely to be a key focus in 2025. Having a policy team in place to help deal with the unpredictable is important. Many organizations should have something in place to deliver a quick response to new or even rolled back sanctions. And businesses need to think about how they will manage and make decisions if there are policies that deviate regionally. There are plenty of factors that could impact sanctions next year and most are hard to predict, so preparing to be prepared is probably the best approach.”
Supplier due diligence and supplier risk management
Enrico: “Many of the regulations that could impact customers in future years are still in proposal. But regulations drive the compliance and TPRM landscape, so they are often the trigger for discussions with customers.
“A piece of regulation putting due diligence processes at the heart of everything for companies is the EU’s Deforestation act. EU countries and companies trading in the EU will need to support the act, and the requirements will need to be covered in their TPRM processes. The regulation will apply to products and commodities and will focus on key regions of the world presenting the most risk. The implication is this will involve many companies; there are thousands transforming commodities, like palm oil, into products. Corporates will need to gain transparency over their supplier networks.”
Marisol: “The EU’s Deforestation directive has been postponed, but when corporations are doing due diligence on suppliers, especially those using specific commodities such as cocoa, soy, palm oil, and others, this consideration will need to be factored when the act comes into effect. There should be nothing in a supply chain extracted from a place engaged in deforestation. Businesses offering a product will need to identify and assess risk, and report.
“Could this also have implications for financial services businesses loaning money to corporates in Europe? It is a big question for 2025.”
Enrico: “Another regulatory change in the realm of supplier risk management, which will apply in the EU from January 17, 2025, is the Network and Information Security 2 (NIS2) directive. It’s a cyber-risk-related regulation (like DORA: The Digital Operational Resilience Act which is more focused on the financial sector) about IT risk management.
“Corporates will need to map their tech infrastructure to see which partners or vendors have the power to affect the business if there were an attack. Again, gaining transparency is key with this regulation – transparency to understand risk and report cyber-attacks, as well as transparency around plans to prevent attacks. In this case, companies must also adopt a very thorough approach to comply with regulations, anything else would not be sufficient.”
Daoud: “2025 will continue presenting a complex risk landscape – particularly in the areas of financial and sustainability risk of global supply chains, third-party risk, and intricate risk networks of suppliers, manufacturers, and distributors. Companies need to be able to mitigate these risks through robust due diligence, including comprehensive background checks on suppliers, implementing a risk-based approach for potential vulnerabilities, and establishing transparent supply chain monitoring.”
Choon: “Global disruptions, and an increasing focus on due diligence within the supply chain, have made it important for large corporate players to ramp up their due diligence efforts. If 2024 is anything to go by, expect the following themes to affect supply chains next year: evolving geopolitical tensions, raw material shortages, and a shift towards reshoring and nearshoring practices. As supply chain patterns continue changing, companies will have to adjust their supplier risk programs in anticipation of what’s next.”
Jill DeWitt: “We will potentially see more regulation related to forced labor in 2025, which impacts areas like due diligence and entity verification. I think there could be more harmonization as different societies take a harder stance on forced labor globally.”
Jason Lee: “The future of next generation Know Your Customer support is going to speak to how companies can enhance due diligence when it comes to sharing information with partnerships or joint ventures that they normally would not share.”
Maurice: “For 2025, my sense is our customers will continue to look for integrated third-party risk management – a singular, streamlined workflow where they can conduct due diligence across functional areas (e.g. compliance, supply chain, procurement, etc.) in different risk areas all at once, rather than working with different systems. The ongoing maturation and evolution of third-party risk management will continue, including increased focus on artificial intelligence in the context of the due diligence process. Our customers have made it clear they’re looking for help in streamlining their approaches to third-party risk management, maximizing efficiency, increasing accuracy, reducing false positives, and driving down redundant costs.”
The Single Euro Payment Area (SEPA) and faster payments
Hera: “I think one of the biggest themes for Europe in 2025 is going to be the SEPA form of payments. There will be regulation on instant payments, i.e. making payments within 10 seconds. This is all well and good if there are no problems with the transaction, but what if there are sanctions implications? What are the industry standard ways to comply with this? Businesses will need to consider this carefully.”
Marisol: “There are critical aspects around the urgency of understanding risk related to transactions, sanctions being one type of risk that is particularly relevant for those doing institutional KYC on corporate clients. But due diligence will also be required for individuals transferring money very quickly, i.e. consumer clients sending money.
“The risk of doing things at speed needs in-depth assessment, as there are ways to use banks with lower KYC thresholds to start moving money very easily, which is something criminals can exploit. Following the money can become extremely complex extremely quickly.
“Banks and payment services firms have the controls, but they need to think about the lifecycle of a relationship, and if they have the controls to understand when a client’s behavior poses a risk to the organization. How do you change your processes and controls to make sure risks can be seen on a perpetual basis?”
Chor: “Faster payments will bring a greater focus on perpetual screening and pKYC. If EU institutions are required to do instant payments – transmission from point A to B in 10 seconds – screening needs to be up to the minute, and that’s a big thing. If the market thought verification needed to be done quickly before, it’s going to need to be done at breakneck speed now and on a continual basis. Ongoing digital transformation and introduction of further AI-enabled solutions are going to be the keys to managing this.”
Nicola: “The role of data scientists will also grow in importance as they leverage advanced analytics to find the outlying patterns and identify suspicious behavior during screening and monitoring processes – AI can’t do the job alone.”
AI and RegTech’s role in risk and compliance
Francis: “We can’t talk about 2025 without talking about AI and its role in risk management and compliance. The RegTech industry is making smarter solutions all the time. AI, for example, is playing a growing role in financial crime detection and prevention but concerns about bias and explainability remain. As a business, how do you evidence completeness and integrity, and how do you ensure human decision making is engaged to support explainability? AI cannot be a black box. So far, much of the focus for AI has been on efficiency and effectiveness. In 2025, I think there will be increased focus on preventing bias.”
Nicola: “Criminals will increasingly exploit legitimate businesses, AI, and emerging technologies to launder money and evade detection. Fraudsters, sanction evaders, and those enabling money launderers will continue to cooperate in the ‘crime as a service’ model.
“Cross-border digital crime demands enhanced information sharing through public-private partnerships. In response, law enforcement and financial institutions are likely to leverage advanced technologies, including AI and specialized data analytics, to better detect and prevent criminal activities.
“AI can be viewed as an efficiency booster and it can enhance human decision-making, but it is also likely to increase governance and privacy rules. Those who have relied solely on AI for risk and compliance, could face fines and enforcement actions related to failures, for example if there are deficiencies in use of AI within an AML framework.”
Enrico: “Every time I touched on this topic at a conference or during a customer discussion, the room temperature rose significantly, sparking numerous questions and insights about how our customers are approaching this transformative subject.
“The truth is, many companies have already embarked on their own AI journey, and many more will follow in the coming months and years. The excitement surrounding this topic stems from organizations recognizing how it will revolutionize risk and compliance in the years ahead. According to our study into AI, over 80% of companies anticipated a significant impact on the efficiency and effectiveness of risk and compliance, with 70% believing this will occur within the next 4-5 years – it is a big shift that’s coming soon.”
Bill Hauserman: “Predictive machine learning-based AI is changing the dynamics of data and investigations. The problem with investigations for a very long time has been sorting through data. Analysts now don’t have to go through numerous companies to figure out which ones present a risk, which could take a week. It can be done in seconds, or AI can at least help prioritize where to look.
“By materially changing efficiencies, it’s possible to materially change a criminal network’s abilities to operate. Most of the gains in this arena are going to relate to empowering people to do things more quickly that either couldn’t have been done before or took too much of a time investment.”
Shaquala: “There is, of course, ongoing conversation about AI. The OCC is more ‘AI friendly’ and has released guidance welcoming innovation. And many organizations want to see this regulator-provided guidance before they leverage AI technology in risk and compliance. They don’t want to make a mistake and allow money to be laundered through their organization. The conversation is open and ongoing.”
Morgan Holleran: “AI is being adopted more often and earlier in financial services – through processes like transaction monitoring – but in 2025, as corporate compliance programs scale and look for automation, AI adoption is an easy win. There is significant room for growth though. We are primarily seeing AI usage in screening – trying to help analysts spend time effectively. There should be an overlay of people and technology to make sure people are targeted at the true material risk-relevant hits, not spending hours on a false positive investigation or hitting a dead end.
“One other issue related to AI and automation is the importance of data quality. The effectiveness of any AI that you apply is reliant on the quality of the data going in.”
Jill: “I think 2025 is going to be ‘the year of data,’ because people want to move to new technologies and become more efficient. This has started through a huge influx of AI and GenAI. Banks of all sizes, for example, are realizing they need to invest in AI, or they could be left behind. But you can’t just invest in AI, you have to start by investing in and understanding your data resources.”
Ted Datta: "Bringing together the themes my colleagues have talked about, I think 2025 will be focused on two big themes – unified risk management and the ‘industrialization’ of GenAI as an enabler.
“Customers will be focusing on different types of risk; bringing data and analytics together to understand how risks are connected; and who those risks are connected to in order to make decisions. Whether those decisions are related to sanctions, onboarding, supplier relationships, compliance – our customers will benefit from an approach that consolidates data, automates workflows, and harmonizes their requirements to uncover risks, unlock opportunities, and make informed decisions. Leveraging this approach to unified risk management, customers will be able to focus on achieving greater efficiency, shared intelligence, and greater resilience.
“Then the increased industrialization of GenAI in 2025, will help customers prioritize “human-led” decision making at scale; addressing the complexity and volume of risk-based decisions that need to be made in an era of exponential risk."
For more information about Moody’s solutions for compliance and third-party risk management, please get in touch with the team, we would love to hear from you.