Anti-money laundering: have we forgotten what we are trying to achieve?

Around $2 trillion or 2-5% of global GDP is laundered annually, according to UNODC estimates in a 2017 study. At the same time, only around 1% of criminal proceeds are confiscated in Europe each year.

Financial institutions are in the line of sight for both money launderers and regulators. But are their AML efforts too literal, too narrow and too patchy? Or are firms just overwhelmed by the amount of regulation and competing demands on their time to be truly AML-effective? The panel moderators of RiskConnect Virtual 2020 - Kevin Smith and Bill Trueman from Riskskill take a back-to-basics look at fighting financial crime and remind us what we are trying to achieve with AML.

This article will be published in the upcoming RiskConnect 2020 Magazine.

Implementing AML controls frequently comes up against the Goldilocks problem. What is not too much or too little, but just the right amount?

To some extent, the financial services industry has gone too far in implementing AML controls. It places huge onus on repeating on-boarding checks, particularly around re-identifying customers, for example. But at the same time, it does not go far enough with ongoing monitoring and management of existing customer relationships.

“People understand that you need to do customer due diligence on new customers. But as the relationship develops, you should always be monitoring, looking for fraud and suspicious activity. It’s part of a broader understanding of the business and people, not just a one-off activity,” says Kevin Smith.

Conducting know-your-customer and know-your-business (KYC/KYB) checks and verifying data on potential customers is critical — as well as being a legal requirement. But if an organisation does not really understand the purpose and intended nature of a customer relationship, they may not have a full picture of the risk associated with that customer. Or have a meaningful basis for deciding what is normal in the context of their business, so unusual or out-of-pattern behaviour stands out more clearly.

This is all part of a risk-based approach. Instead of taking a blunt-instrument or one-size-fits-all approach to identifying suspicious transactions or behaviour, if you know what genuine customer behaviour looks like, anomalous behaviour will stand out more clearly. There is little to be gained, and much to be lost, by inconveniencing genuine customers, blocking or declining particular transactions and creating more false positives. With a risk-based approach, only higher-risk transactions are pulled out for extra scrutiny. The overwhelming majority of business can proceed without this as it is not high risk.

Building capacity

We must focus on not just doing AML for AML’s sake, says Kevin. Part of this is a capacity issue. Risk management and compliance staff, but also their colleagues in business development and account management roles, need to be sufficiently empowered to ask difficult questions. They need to look in detail at customer relationships and, of course, know what they are looking for.

“During client engagements, it often becomes quite apparent that underwriting and compliance teams don’t know the questions they should be asking potential and existing customers. There is always a drive to get clients on-boarded, and people can often forget the mechanics of why it was important to understand the true merchant business and to be cognizant of a concerns in the data presented and noteworthy changes,” says Smith.

Firms of all sizes must recognise that they are and will be a target of financial crime. And that this is not just about fraud and data security breaches, but also encompasses money laundering and other types of financial crime. Of course, the appropriate policies and procedures need to be in place and must be shared widely internally but also externally. It is about building capacity across the extended enterprise.

“I’ve seen many examples of where wonderful policies exist and are understood by the board, but they are not lived and breathed within the business. It also goes broader to sharing them with suppliers, partners, and merchants — people forget about third parties. They worry about getting some policies in place and think that’s it,” says Smith.

Size doesn't matter

Regulation applies equally irrespective of the size of the firm, which may catch smaller organisations out. “If people come from a banking, finance or payments background and set up or grow companies, they have an awareness of anti-financial crime procedures instilled within them. They go in with an attitude of wanting to be and do the right things and questioning unusual aspects of business right from the start,” says Bill Trueman.

The challenges arise more for smaller start-up businesses and those from outside the financial services sector, or both. If they have never ‘touched’ AML previously and grown without understanding, knowing or putting these controls in place; or if they simply rubber-stamp some policies, that they have developed off-the-shelf: then retrofitting robust controls can be difficult.

Indeed, at the beginning of July 2020, the FCA, the UK financial services conduct regulator wrote to all regulated firms, reminding them of a few of their many obligations. Among other issues, the regulator was concerned that firms were failing to take appropriate steps to properly manage their financial crime risks.

Common issues were firms not having an effective business-wide AML risk assessment in place; customer risk assessments not including all relevant risk factors; a lack of effective and risk-sensitive enhanced due diligence for high-risk customers, and senior management not having adequate oversight of agents, particularly where these operated overseas.

‍Advice for firms and regulators

What advice do Riskskill have for card payment firms in focusing on what is important from an AML point-of-view?

Firstly, effective risk management is not just about managing fraud and data security breaches. There needs to be an awareness that the underwriting process is a way to prevent bad business from coming into your firm and the system more generally.

Secondly, risk management is not a one-and-done activity, rather a persistent and consistent process of ongoing customer and transaction monitoring. If a business manages to deceive us when they are underwritten, say by introducing a proxy or shell company structure to our business: we really ought to be spotting sudden trading anomalies that can direct us to review our onboarding of that customer.

Finally, risk management disciplines have tended to operate in silos with separate underwriting, fraud investigations, compliance teams, in addition to a anti money laundering function. Organisations need to ensure that there is effective engagement and communication between all risk disciplines. An incident that happens in one area is probably a strong indicator that the organisation is being attacked from several different angles. It is about gathering as much information as possible, rather than doing things in isolation and missing the bigger picture, advises Smith.

When it comes to regulators, Riskskill feel there is also a need to build capacity. Regulators regulate better when they have direct knowledge and experience of the industries being regulated. This may involve some up-skilling as to what the criminals are doing, and the information and tools available to counter these threats.

“Regulators also need to audit, spot anomalies and take regulatory actions faster, and get firms either ‘on-track’ or ‘off the rails’ earlier in the process. We’ve seen a number of cases where the regulator hasn’t actually ‘bitten the bullet’ or has allowed unsatisfactory situations to continue. Equally, we see situations where they ‘will not let go’, long after they should have done so. They ‘come at it’ from too much of a purist angle,” comments Trueman.

Looking to the future

The advice to firms and regulators notwithstanding, have we forgotten what we are trying to achieve with AML? If the aim is to prevent money laundering and the financing of terrorism, rather than keep the regulator happy, perhaps the current approach is too literal, too narrow and too patchy.

But equally, this may be an indicator that the regulator needs to understand and adopt an approach better aligned to understanding, finding and preventing money-laundering than one which blindly follows an approach and sticks to the rules – ‘whether or not they apply in this case or not’.

For regulated firms operating in the European Union, the Sixth EU Anti-Money Laundering Directive (6AMLD) seeks to harmonise the legal definitions for money laundering, related offences, and punishments across member states. Historically, the differences between jurisdictions has caused difficulties for national law enforcement agencies when they have sought assistance for cross-border investigations. It has also created confusion for firms that operate in multiple jurisdictions, which money launderers have exploited.

6AMLD is due to be transcribed into national law by 3 December 2020 and must be implemented by firms by 3 June 2021. Discussions around the creation of a new, central EU AML authority in the wake of recent dirty money scandals involving European banks are ongoing.