Many people believe the financial services industry is under attack. Some assert the attackers are regulators, whilst others will state the industry is being attacked from within by rogue elements. Of course, there is a constant threat from money launderers, fraudsters, and now more than ever before, cyber-criminals. To counter these threats, we as AML specialists need to constantly be on guard, think dynamically, and innovate.
The penalties for failure and/or wrong-doing have reached hitherto unprecedented levels, and yet the former Superintendent of New York’s Department of Financial Services (DFS), Benjamin Lawsky, has stated they are not achieving the required impact. So what next? What other regulatory enforcement options are there? Mark Carney, the Governor of the Bank of England, called for harsher prison sentences for errant bankers. All of this marks a shift of regulatory attention and focus to senior individuals within financial services.
Such senior individuals are seeking assurances from others in respect to the robust, consistent, and constant application of controls. They want people to act with integrity and they want to be informed of issues that ultimately could threaten their liberty. Simultaneously, they run for-profit enterprises, they encourage business colleagues to take risks and earn rewards upon the same. Thus, they face challenges and pressure. Risk departments, including financial crimes, are the subject of increased regulatory scrutiny and demands. Consequently risk managers seek more funds, more resources, and more time, all of which impacts upon the profits of a company.
While there are now more resources, these are not limitless. Hence, there is a need to leverage where possible and delegate where permissible.
Therefore, taking anti-money laundering (AML) and customer due diligence (CDD) as an example of a risk discipline, we should examine the components of an AML/CDD framework to identify where and how we might innovate. Such frameworks commonly incorporate the following:
Take, for example, one aspect of this list. The policies and procedures cover all aspects of the framework and ordinarily articulate what is required of staff, becoming, essentially, the rules with which staff are required to comply. But is there enough emphasis upon how these policies and procedures protect staff? These are not solely for the protection of senior management, but all staff who are vulnerable to the prospect of being compromised by third parties seeking to circumvent requirements, break laws and launder money.
The greatest thing about the human race is our differences, including the diverse and simple ways whereby some react to care and consideration, whereas others like to know the rules that govern their conduct. Thus, a subtle adjustment with a broader message will connect with staff in a more positive and engaging manner.
AML professionals have to look everywhere for possible issues and solutions, including their customers. Of course, without customers there would be no business, there would be no bank/company, and we would all be looking for another job. The FATF has asserted corporate customers need to know who they are, who controls the business, who benefits, the nature of the business of the customer, and what the customer requires from the bank/firm. In other words, the FATF has stated corporate entities are in the KYC business. So how may this impact the world of the financial crime professional? Is there some leverage here?
There is, for sure, a need to be sensitive and commercial; after all, customers want to be valued, respected, and in no way abused. Nonetheless, does the FATF proposal not suggest now is the time to review the terms and conditions (T&Cs) of business with customers, from the perspectives of AML and KYC? As banks and firms are obliged to keep CDD up to date, perhaps the corporate customers should be encouraged, if not instructed, to keep a bank informed of any material1 changes to the corporate customer.
In relation to individuals, there is increasing evidence that indicates more demanding KYC requirements, including the source of funds and source of wealth, are presenting unwanted and previously unseen due diligence challenges to money launderers. Consequently, there is an increasing use of existing accounts, whereby launderers encourage others to become “mules” who, for a fee, carry the laundered funds through their account on behalf of the launderer. This change of approach demands a change of thinking on the part of the financial crime professional. Many of these transactions will be identified within transaction monitoring programs as unusual/suspicious, but would it not be preferable to prevent them from ever occurring in the first place?
Should we not put more obstacles in place for the launderers to scale and potentially stumble over, while simultaneously protecting customers from being compromised? Once again, the change by a third party, in this instance the money launderer, requires a change in thinking by the financial crime professional.
On a risk-adjusted basis, a bank account opened by a student receiving funds to pay for living expenses, education fees, and the general lifestyle would likely be classified as low risk. The risk would change significantly if the student/customer were to facilitate payments for a third party, even more so if the student allowed the third party to make widespread use of the account. Everyone knows increased risks lead to increased costs, but how can such costs, including the investigation of suspicious transactions and the submission of suspicious activity reports, be applied to the customer, in this scenario a student?
Perhaps, once again there is need to review and reword the T&Cs we provide to customers. For example, students should contract that their account will be used solely for their business, their education, their lifestyle, and their payments. Furthermore, the student (or any other customer) should confirm their account(s) will not be used by third parties and transactions will not be processed for third parties. As part of the customer education and protection process, the customer should be advised, alerted, even warned that processing transactions for third parties, in particular unknown third parties, may actually constitute a criminal offense.2
Some readers will immediately identify the above proposal as intimidation and in no way customer-friendly, but isn’t the protection of customers very friendly? Going further, a bank/firm may wish to insert clauses which allow the bank/firm to freeze the customer’s account and to manage the potential risks presented to the firm/bank, as well as apply charges of up to €1,000. This way, the costs of an investigation and submitting an SAR may be recovered, but there will be a need to define a third party and a third-party transaction.
Is this radical thinking? Maybe, but consider the alternatives, such as having your firm/bank used by a terrorist group to channel funds to commit atrocities and kill innocent people. Why your bank/firm? Because its controls were perceived to be weaker and the T&Cs less of an obstacle; the outcome, devastating. So when was the last time, as a financial crime professional, you looked at your bank’s/firm’s T&Cs?
Now let us once again consider our staff, this time in conjunction with the customers. As regulated banks/companies, we have legal obligations to know our customers, but we really mean account managers, relationship managers, and bankers, as these are the people adjacent to the customer, working with the customer, selling products and services to the customer, so it must be that these people know who they are dealing with, know their customer – but do they? And, more significantly, how do we prove they do?
Some account/relationship managers mistakenly believe their operations and compliance colleagues know who the customer is, and in doing so they err. It is the responsibility of the person/party working with the customer to know the customer, this way he/she/they are able to identify anything unusual or suspicious. If they do not know the customer, they will not know what is unusual and they are far less likely to see the suspicious.
Regulators expect to see three lines of defense with customer-facing staff as the first line, indeed on the front line. In addition, they are seeking a correlation between staff training and engagement with customers, but how do we ensure our front line staff know their customers? The answer may be found within an evolving regulatory approach, attestations, whereby staff are presented with a customer’s KYC file and attest that it accords with their understanding of their customer. A further attestation could be included, along the lines of:
“I [name of account/relationship manager] confirm I know of nothing negative about [name of customer and related parties3] that could have an adverse/negative impact upon [name of firm/bank].”
This approach draws the front line together and demonstrates to regulators they are engaged. These attestations make it far more likely front-line staff will report unusual/suspicious customer actions/transactions, as well as material changes to a customer’s business, ownership, and/or control. This proposition reduces the instances where account/relationship managers state they did not know, as this drives them to know and is of significant benefit in the quest to keep KYC information and documentation up to date and accurate.
1 Material changes being ownership (25/10%+) control, nature of business, diversification, acquisition etc.
2 Laundering is a strict liability offence in a number of countries, which does not require proof of any intent on the part of the accused
3 Identified shareholders, beneficial owners, directors and/or partners