Sunday evening’s news cycle had one major story. Coronavirus? Brexit? The Emmy Awards? No, it was the leaking of more than 2,500 documents from the US Financial Crime Enforcement Network (FinCEN). The majority of the documents leaked were suspicious activity reports (SARs) sent to the US authorities by the world’s biggest banks (including UK banks). These set out the banks’ concerns about their clients potentially using the banks’ services to launder proceeds of crime. The period covered was between 2000 and 2017. The SARs describe over 200,000 transactions, worth approximately $2 trillion. These leaked files also demonstrated how sanctioned Russian individuals used the banks to circumvent the financial sanctions imposed on them due to their links to the Kremlin.
To the financial services professional, the news will come as no surprise. The world has a number of unsavoury characters who everyday are looking to use the financial system to launder their proceeds of crime, whether generated by corruption, tax evasion or other criminal activities.
The leaked files demonstrate that the banks involved were complying with their obligations to report their suspicions of their clients’ criminal activity, as required by businesses and staff working in the industry. Why, therefore are the banks being criticised having properly escalated their concerns to the right authorities?
A few points fall to be made. The threshold for suspicion, particularly in the UK, is very low. It does not come anywhere near knowledge, let alone the standards of evidence required to convict. There is no obligation to suspend or close accounts when a client’s account is reported as suspicious. If a financial institution delays or fails to complete a transaction without providing a good reason, they can be sued should the client lose money. There are restrictions (with criminal penalties) for disclosing that a report is being made.
The challenge in this case is that the evidence presented by the reports taken from this leaked information appears to indicate that the relevant banks did little other than report and were not proactively managing the financial crime risks. It is always best to withhold judgement until all facts are known, but some of the examples provided raise questions based on the information provided. These include:
- A global bank allegedly facilitated the laundering of more than £60 million worth of fraudsters’ money, after the Bank was notified about the Ponzi scheme.
- One of Britain’s largest banks was allegedly used by a Russian Billionaire to evade the sanctions imposed on him by the US and EU following Russia’s annexation of the Crimea in 2014. These arrangements included using a company to purchase expensive art.
- The US’ largest bank is said to have conducted transactions worth more than $1 billion for one of Russia’s biggest Mafia bosses who was accused of gun running, drug trafficking and murder. The ‘mobster’ used an offshore company. The FinCEN files note that the Bank did not fully understand the company’s beneficial ownership, until after the account was closed.
- Another British bank apparently moved cash for a Jordanian bank, even after there were reports that indicated the latter bank had been heavily used for funding terrorism.
- The Central Bank of the United Arab Emirates (UAE) allegedly processed transactions for a Dubai firm which had previously been linked to the evasion of the Iran sanctions.
- One of Europe’s biggest banks’ Executives ignored warnings of money laundering vulnerabilities
All the banks named have responded to the leaked files, stating they have met all of their legal and regulatory duties, and the nature of leaked documents is that they may present only a partial picture of the range of activities that a bank may have undertaken in relation to the matter reported. However, the FinCEN Files point towards a number of weaknesses which regulators and those carrying out financial crime compliance reviews commonly find in firm’s financial crime frameworks. These include:
- Insufficient monitoring or not responding quickly enough to adverse media by appropriately investigating whether an individual/company who is a subject of concern has links to their client.
- Senior management failing to take seriously warnings about weaknesses in a firm’s AML systems and controls.
- Insufficient verification of the identity of ultimate beneficial owners of offshore companies often because of poor risk assessment processes or client monitoring, including ongoing acceptance and continuance of the relationship.
Therefore, what could banks be doing better?
The Money Laundering Regulations are principles-based regulations. They require firms to take more responsibility in combating financial crime, away from a prescriptive regime which can lead to tick box compliance. Because of this, financial institutions must build a financial crime framework which is based on their size, complexity, business model, and overall risk profile. But what does this mean in practice?
Developing an effective AML Programme
Building a robust financial crime framework is no small task. The era of giving someone a title of MLRO, as part of a portfolio of different other roles, is long since passed. It takes time and resource to ensure a firm has the strongest possible defence to combat the risks that it is exposed to, as well as senior, and middle, management engagement to help drive a culture of doing the right thing; that compliance matters and must not be sacrificed in the pursuit of revenue or profit. To assist in creating an effective financial crime framework, there are a number of steps in which an institution must take.
Business-Wide Risk Assessment
A firm must identify and assess its inherent financial crime risks. This is the foundation of a framework. By understanding the risks, firms can build a framework which is suitable for them. There is no point in creating systems and controls which are not in line with the firm’s size and business model. ‘Off the shelf’ policies and procedures which help tick a regulatory box are not what is required. To assist in conducting their business-wide risk assessment (BWRA), firms should use the UK’s National Risk Assessment of Money Laundering and Terrorist Financing to understand the risks HM Treasury has specifically designated to its sector. The report included consultation across law enforcement and intelligence agencies, and with supervisors and the private sector. Therefore, it is worth taking note of the risks identified across the industries, as well guidance provided the FCA in its Financial Crime Guide.
Risk Based Approach
When firms envisage ‘risk based approach’, the majority of people automatically think of customer due diligence. High risk clients require enhanced due diligence. This is not incorrect, but it does not tell the whole story. The business-wide risk assessment (BWRA) conducted by the firm, must inform the firm’s systems and controls. The BWRA is not an exercise simply to satisfy Regulation 18 of the Money Laundering Regulations, it is so that firms design a framework which focuses on their risks. Meaning that when a firm identifies areas of high risk in their business model, for example their services allow cash transactions, the firm should be implementing enhanced controls around its cash monitoring.
The term ‘Public-Private Partnership’ (PPP) is not new. A number of the larger banks are joining government select committees, as well as the Joint Money Laundering Intelligence Taskforce (JMLIT), to try and crack down on money laundering across in the UK’s financial system, including how to make regulations and standards more effective. However, it would be fair to say that it is still some way away from working well. Although communication lines are open, the partnership still lacks effective information sharing, especially for the smaller financial institutions. A report in 2017 highlighted that 80-90% of suspicious reporting is of no immediate value to active law enforcement investigations. An effective PPP has benefits for both parties, and works a complete circle. When firms properly investigate a client’s transactions and provide useful and detail information in the submitted SAR, this can help law enforcement agencies in apprehending criminals. On the other hand, when the public sector shares information on money laundering and terrorist financing trends typologies and illicit behaviour, as well as money laundering and terrorist financing red flags, financial institutions can use that information to align their monitoring and investigation processes to identify and report unusual and suspicious activity. It is therefore imperative that all firms have customer data systems which are up to date, easily accessible and can be provided to law enforcement agencies efficiently.
Whether the firm has just built its financial crime framework, or has an existing framework, the need for constantly ensuring it remains effective is paramount. A firm’s second line of defence, compliance team, should have a monitoring programme which regularly assesses the effectiveness of the firm’s financial crime systems and controls. As ever, in line with the firm’s risk based approach, more resource should be applied to areas which were identified by the firm in its BWRA. Reporting should be escalated to senior management to ensure they are aware of any issues that are detected in the monitoring programme are suitably managed.
How can BDO help?
BDO’s Economic Crime Advisory team has extensive experience in helping firms develop a robust and regulatory compliant financial crime framework which suits you. Our team has worked closely with the FCA in a large number of FCA s166 Skilled Person reviews, and therefore we know what the regulator is looking for.
- Create and implement a BWRA which is commensurate with the firm’s size, business model and complexity.
- Design policies and procedures which are informed by your BWRA, including risk based due diligence and monitoring on clients and transactions.
- Developing an appropriate transaction monitoring system with parameters and rules based on money laundering scenarios applicable to your business. With this, we can establish your documented escalation process when unusual or suspicious activity occurs, including how and when to report such activity to the National Crime Agency.
- Build an effective governance structure which allows senior management to take ultimate responsibility for the firm’s financial crime risk, for the first line of defence to own and mitigate the risk, and for the second line of defence to develop an appropriate programme for them to provide assurance and oversight of the framework.
- Conduct an independent assessment of your financial crime systems and controls against regulatory requirements and industry standards.