Best practice in higher-risk products and services
Management of internal suspicion reporting
Where you see the WWW icon in this chapter, this indicates a preview link to the author’s website and to a training film which is relevant to the AML CFT issue being discussed.
Go to www.antimoneylaunderingvideos.com
These can be summarised as follows:
These should include the following as a minimum:
The exact place of the AML/CFT compliance role within the overall structure of the organisation is not prescribed internationally, and so will depend upon any national requirements and on the preferences of the organisation and its senior management.
In the largest international banks, the position of Head of AML and CFT is a senior position which is well remunerated and offers enough direct access to senior management to be able to function effectively. Typically the AML/CFT function will fit within one of two models:
It is of course also possible for the unit to sit completely independently, as a statement of the importance attached to it. If that is the case, then the reporting line of the head of the unit should be at least to Executive Director level and preferably to the Chief Executive Officer, in order to avoid the risk of the unit being bypassed in important decision-making processes.
AML/CFT units are rarely part of the audit function. This is because they must themselves be subject to scrutiny and oversight in relation to the effectiveness of the way in which they perform their duties. This would not be possible if they were part of the audit function, whose job it is to provide management with assurance that different functions in the organisation are doing their jobs efficiently, including the AML/CFT function.
The so called ‘three-line defence model’ for AML and CFT sees the organisation setting up three tiers of protection against the various risks posed. These are:
In terms of who does what within the AMT/CFT function, in a small organisation one or two people may handle everything from business queries to training, to writing policy, to arranging IT support for name screening, etc. As an organisation gets larger and more complex, however, this clearly becomes inappropriate and a division of responsibilities becomes necessary.
The precise nature of the division, if not prescribed by local law, is a matter for the Head of the AML/CFT function to decide. For example, a Head in a reasonably large organisation might split the responsibilities of the function as follows or, where resources are tight, allocate clusters of them to individuals:
The very largest organisations will need to operate matrix structures in which different roles are performed across multiple products in different business streams across multiple jurisdictions (if the organisation is expanding internationally). These structures may, for example, see different heads of AML/CFT distributed through the organisation on a business or geographic basis, with double reporting lines to both the general managers of those businesses and into a main, centralised AML/CFT function sited in head office.
In such cases, the more complex the structure needs to become, the more important it is that there is great clarity as to who is responsible for what – in particular the statutory responsibilities laid down under national law and, of course, clarity within the organisation as to whom suspicious transactions should be reported.
Whereas all core activities in the AML/CFT role are important there is one activity in particular which is paramount, and that is securing senior management support. Compliance starts from the top and without the commitment of senior management the role of the AML/CFT Compliance Officer becomes that much more difficult, and some might even say impossible.
Why is this? The answer is that the senior managers in organisations occupy positions of such power that effectively they determine the culture of the organisations which they lead. Whether it is because subordinates want to impress them, or because they are fearful for their jobs, or because they act purely from habit may differ from case to case. But the general indication is that people’s propensity to follow orders at work and ‘go with the flow’ is extremely high.
What is the evidence for this? Much research has been done in this area but two psychological studies conducted in America in the 1960s are particularly worthy of mention. The first, undertaken by Stanley Milgram, placed subjects in a situation where they thought they were taking part in experiments to determine a person’s capability to follow simple instructions, with a small electric shock being administered if the person followed the instruction incorrectly. They were assigned the task of the ‘teacher’ and had to administer these small electric shocks to the ‘student’ who was situated on the other side of a pane of glass, the two being separated by a contraption described as an ‘electric shock machine’. The arrangement is shown in Figure 3.1.
Figure 3.1 Milgram’s famous experiment
In fact there were no electric shocks and the real subjects of the experiment were the ‘teachers’ who were being asked to administer what they believed to be increasingly severe electric shocks to the ‘students’ (who were in fact actors) for no other reason than that they had got the answer to a simple question wrong. As the ‘shocks’ increased the ‘students’ displayed increasing amounts of distress. Milgram’s ‘teachers’ were accompanied by authority figures in white coats (the experiments were conducted at Yale University in the US) to whom they frequently appealed during the experiments for permission to stop. Always, however, the answer came back calmly but firmly to proceed with the administration of the ‘electric shocks’. Milgrim was interested to test how far people would go in following instructions from an authority figure. The results were extraordinary. Very high percentages of the subjects (sometimes up into the 70 per cent bracket) would proceed to administer what they believed to be lethal electric shocks to the ‘students’. This led Milgram to his chilling conclusion: ‘A substantial proportion of people do what they are told to do, irrespective of the content of the act and without limitations of conscience, so long as they perceive that the command comes from a legitimate authority’. (Source: www.stanleymilgram.com/quotes.php)
If Milgram’s experiment dealt with people’s propensity to follow orders, then the experiments conducted by another American psychologist named Solomon Asch graduated more towards people’s willingness (or otherwise) to speak out in a group when they believe that something is wrong. Asch sat his single subjects in groups with 11 others, all of whom knew the true purpose of the experiment, with only the subject unknowing. A group would be shown different images of lines of differing lengths and were asked to state which line was longer, which was shorter, etc. Each member of the group would state his or her opinion in turn. The subject was always in the latter half of those asked, such that the majority in the group had already given their opinion by the time it came to the subject. The differences in the line lengths were quite obvious. For a couple of rounds in each group, the majority of those asked ‘Which was the longer line?’ gave the correct answer, as did the subject. However, at a certain point the majority gave wrong answers and, again, in surprisingly high numbers the subjects would agree with the majority even though the evidence of their own eyes was telling them quite clearly that the opposite was true.
These two experiments demonstrate what most of us have probably already experienced: that in organisations people tend to do as they are told and are, by and large, very reluctant to speak out when they receive an instruction which they believe to be ‘wrong’. Applying this to an AML/CFT culture it becomes easy to see how such a culture would be weak and ineffective unless senior management is not only ‘talking the talk’ but also ‘walking the talk’, i.e. insisting upon adherence to necessary standards, even where that may mean giving up a short-term revenue gain.
In one financial institution there was a policy which stated very clearly that: ‘In case of doubt we do not hesitate to reject potential customers or terminate business for AML concerns, even if it means losing profitable business. Consequently we accept from staff a critical attitude with regards to new customers.’ A young relationship manager, aware of the policy, was publicly criticised by his manager in team meetings when he raised concerns about certain new customers and the origin of their wealth. He was told, ‘Go and join the Compliance Department, you’d fit in better there than you do here,’ and he was overlooked for promotion and received a lesser bonus than some of his colleagues. He raised the matter privately with the Compliance Department who, after getting nowhere with the business manager concerned, escalated the matter to the CEO, explaining that in its view it was essential that the business manager should get a clear message from the CEO that the AML policy was meant to be followed in practice. The business unit run by the manager was, however, performing extremely well. Its revenues were at record levels and undoubtedly the manager was partly responsible for this.
In spite of several subsequent requests, the CEO took no action, choosing rather to issue a generally worded memo to all staff about the importance of the AML policy. A month or two later, another manager in the business unit informed Compliance that the manager had treated the matter humorously in a subsequent team meeting, quipping that the CEO needed him more than he needed the Compliance Department. The second manager said, ‘Everyone knew what had happened and everyone knew what the outcome had been. From that moment on nobody was in any doubt that, whatever the AML policy said, the view of their manager, backed by senior management at the highest level, was that whenever the policy jeopardised profits, it could be overlooked.’
Genuine support from senior management is so essential that nothing good or effective will be achieved without it. There are some obvious things that you can do on a personal level to foster support from senior managers, such as:
However, AML/CFT compliance officers must appreciate that it is insufficient simply to write lots of memos and other communications pointing out what the laws and regulations say. To achieve real commitment and all the good things that flow from it the AML/CFT function must adopt an approach that is business-focused, one that casts AML/CFT compliance as something that is there to help the business succeed, rather than as a ‘blockage’ to be got around or ignored.
The foundation stone for your business-focused approach should be a desire to achieve (or, if a great one exists already, to maintain) the right culture within the organisation. This will not be a culture in which the business views compliance as being the Compliance Department’s problem, but rather a culture in which the business takes ownership of compliance for itself and incorporates it seamlessly into its business processes, with the support and help of the CEO and senior management team and the Compliance Department. This type of culture is typically achieved by:
What practical steps can you, the Compliance Officer, take to embed responsibility for AML/ CFT compliance within the business itself? In terms of corporate governance there are a variety of possible measures, outlined below.
Corporate policies should state clearly that responsibility for compliance lies with business units. For example:
‘Business heads are responsible for ensuring that procedures and controls commensurate with these standards and guidelines are in place for all units under their control.’
It is not sufficient that business managers’ responsibility for compliance should simply be incorporated within policy documentation. Managers will need reminding on a constant basis that responsibility is theirs. A good mechanism for achieving this is a regular AMG meeting, comprising the heads of the major business units concerned, briefed to discuss AML and CFT issues specifically. The AMG should be chaired by the chief executive or general manager and would consist of the heads of businesses, the Chief Operating Officer, the Compliance Officer and any other key personnel. An example agenda is shown below:
for the meeting to be held on [date] at [place]
Chaired by the Chief Executive Officer, or in his absence the Deputy CEO or Chief Operating Officer (COO).
For attendance – Heads of Businesses, COO and any other key personnel agreed.
Responsibility for AML/CFT compliance should also be built into the organisation’s performance management framework, thus ensuring that observance of AML/CFT good practice is one of the measures against which managers’ work performance is assessed. Specific AML/CFT objectives can be included within a business manager’s overall personal performance objectives. Similar provisions can be cascaded down into the objectives of more junior staff. This will highlight the importance of AML/CFT compliance and signals clearly that bonuses may be at risk if compliance performance objectives are ignored. An example for a senior business manager might be as follows:
During the assessment period, actively to assist the bank’s drive against money laundering and to provide business leadership on money laundering prevention by:
It is rare that an AML/CFT function will have sufficient resources and personnel to have an employee present in each business unit. Even if it did, as representatives of the Compliance function such employees may be viewed as separate from the business. A ‘Compliance Champion’ therefore is an employee who sits within the business and undertakes certain specific activities such as:
Because of their proximity to the business, Compliance Champions are unable to undertake any kind of independent assessment of compliance standards. This must be done either by the Compliance Officer or the Audit Department in accordance with the three-line defence model discussed earlier.
Setting up a business ownership structure as outlined above requires communication – from the Compliance Officer to the Chief Executive, and from the Chief Executive to business heads. Shown below are examples of the documents that might have a role to play in such a strategy, based around the three themes of:
Clearly the Compliance Officer should discuss their overall approach with the CEO beforehand and obtain their support for the approach, but otherwise these memos are practical documents which, when taken in conjunction with a senior management presentation and a staff briefing, for example, could form the basis of an effective communication strategy to explain the business ownership approach advocated here.
Re: Money laundering risk – Action going forward
1. I refer to our discussions regarding the above, and now set out formally, as requested, my observations on how [Name] Bank should best deal with the management of money laundering and terrorist financing risk going forward.
2. In common with other regulated banks and financial institutions in [Country], we have been complying with [Central Bank] regulations regarding the opening of customer accounts, the mandatory reporting of certain transactions and the reporting of unusual or suspicious transactions for some time. However, in view of international trends in relation to money laundering prevention, which clearly indicate:
3. I believe that our strategy should concentrate on three broad and complementary areas or ‘themes’ of action, and I outline what these are below, together with some of the practical measures which we can implement to bring them to life.
In best practice benchmark organisations, all staff – but particularly those in key areas – are aware of the risks posed by money laundering and terrorist financing, and of the steps which are expected of them in trying to prevent and/or to identify it. This means much more than just making the relevant laws and policies (see below) available to staff. It means imbuing them with an instinctive vigilance which they, whilst remaining hungry for business, then apply to all customers and all transactions. Actions to achieve this objective would include:
In organisations where the primary responsibility for ensuring anti-money laundering compliance is seen to rest with the Compliance/Risk function, businesses never fully accept their role in preventing money laundering. Management time is wasted as businesses and risk functions adopt ‘us and them’ postures. Risk is increased as, freed from responsibility for the ultimate outcome, businesses attempt to accept business which they may be less than sure about. Genuine revenue opportunities are lost as compliance/Risk functions, feeling pressured and under attack, veto business which might otherwise be accepted.
In best practice benchmark organisations, however, primary responsibility for compliance lies with the businesses, where such compliance is seen as an integral part of the business cycle. Actions to achieve this objective would include:
We must [develop] [maintain and enhance our] policies and procedures in key areas connected with the fight against money laundering, so as to ensure that [Name] Bank’s position on anti-money laundering is clearly spelled out, and that staff have clear standards to follow. These must be adapted to be specifically relevant to each type of business and should [be updated to] cover the following issues:
4. Our policies and procedures must be living documents, which are updated regularly so as to remain relevant to new products and risk areas, and which are an integral part of the way in which each business is run.
5. The three themes complement each other. A strong culture of awareness amongst staff will make it easier for businesses to assume responsibility for compliance, just as the assumption of that responsibility will help develop the desired culture. Clear, relevant and up-to-date policies and procedures will help – and be helped by – both.
6. If you are in agreement with the above, the next step would be for us to have discussions with the business heads concerning this new strategy, before convening the first meeting of the AMG to agree a more detailed plan of how and in what order to launch and implement the various initiatives.
Sincerely, etc.
To: All Business Heads [and e.g. COO]
Re: | 1. Business responsibility for anti-money laundering compliance |
2. Launch of Anti-Money Laundering Group (AMG) |
The purpose of this note is to outline the responsibilities which you and your businesses bear in relation to the prevention and detection of money laundering and terrorist financing in [Name] Bank in [Country] , and to set out the terms of reference for a new senior management group which I have decided to form, to be called the Anti-Money Laundering Group (AMG), to assist in the planning and implementation of a comprehensive anti-money laundering strategy for [Name] Bank in [Country].
The first meeting of the AMG will take place on [date] at [time], when we will attempt to establish priorities and timings for the various initiatives.
In conclusion, I cannot over-emphasise the devastating effect which even inadvertent involvement in a money laundering and/or terrorist financing scandal would be likely to have on our business and reputation [in the current environment]. Nor can I overstate the critical importance of your providing firm leadership on this issue within your respective businesses [and functions]. I know I can count on you to work with me to ensure that our anti-money laundering strategy is a success.
Sincerely, etc
During the assessment period, actively to assist the Bank’s drive against money laundering and terrorist financing, and to provide business leadership on money laundering and terrorist financing prevention by:
With the assistance of the AML/CFT Compliance Officer, businesses will need to implement complete policy, procedure and system solutions to the AML/CFT risks which they face. The precise scope and content of these polices, procedures and systems will be influenced by local law and regulation, but in order to comply with international standards they will need to deal with at least the following areas:
The World Bank and the IMF have produced a guide to best practice, grounded in the original FATF recommendations and in the Basel Committee on Banking Supervision’s international standards and this text is based on its consequential guidelines. In addition there is relevant guidance from other industry-specific bodies and relevant sources including IAIS (insurance), IOSCO (Securities), the Wolfsberg Group (international and private banking), the Joint Money Laundering Steering Group (UK consultative body) and the US Department of Treasury Anti-Terrorist Financing Guidelines (re charities), summarised in composite form below.
The global KYC standard outlined here derives from the World Bank and IMF guidance and from the FATF recommendations together with associated regulatory guidance issued in countries such as the UK and US. The standard can be used as a benchmark for the banking sector, as well as a best practice reference point for other financial sectors.
Whatever regime is introduced at the headquarters of an institution must be applied to its branches and to any majority-owned subsidiaries, both domestically and internationally, unless it clashes with local law in that jurisdiction. If there are differences in regulatory standards between home and host countries, then the more comprehensive/stronger of the two should be applied.
Banks need to establish at the outset whether the person with whom they are dealing is acting on their own behalf, or whether there is a beneficial owner of the account who may not be identified in their paperwork. If a bank suspects the customer is representing a third party, it must carry out due diligence on that third party as well.
Third parties may be organisations or legal entities as well as individuals. It can be particularly difficult to establish who the beneficial owner is when ‘tiered ownership’ is involved, with a whole pyramid of companies controlling one another and in some cases a parent company at the top. Again, appropriate due diligence is necessary in such a situation to find out the precise identity of the parent entity.
It is necessary for banks to be able to identify which potential new customers represent a high risk in terms of money laundering and the financing of terrorism, by developing high-risk profiles against which they can be measured. Standard risk indicators for money laundering will include factors such as:
As regards terrorist financing, it simply is not possible to produce a meaningful profile for an individual terrorist financier, but clearly issues surrounding the general profile of an account will be relevant, such as:
The risk-based approach generally means that the bank can afford to exercise reduced due diligence with low-risk customers. The IMF/World Bank guidance recommends that the rigidity of the acceptance standards should be in proportion to the risk profile of a potential customer. However, when new customer business deemed to be ‘high risk’ is up for consideration, the onus should be on the senior management to make the decision as to whether or not such business is appropriate for the bank to take on.
Bank staff should verify any new customer’s identification to their satisfaction before an account is opened. Customers are not allowed to open accounts in fictitious names, and nor are numbered accounts permitted unless the usual customer ID procedures and supporting documentation are used as a matter of course.
Once they come to request identification documents, banks should ask for those that are hardest to forge. For individuals the most suitable are official documents such as passports, driving licences, personal ID cards or tax identification documents. An institution’s procedures should specify which of these or other documents might be acceptable for different individuals. For legal entities the suitable documents specified might include a certificate of incorporation, the business’s registered address, its tax identification number and whatever other proof of the business’s legitimacy as an entity is required.
When an intermediary – for example a trustee, financial adviser or nominee – is opening an account or carrying out a transaction on behalf of an individual or a corporate customer, then unless legally sanctioned ‘passporting’ procedures apply (e.g. as in the EU, where business introduced by other EU-regulated entities may be assumed to have been correctly identified already), the financial institution needs to take steps to verify the identification of the beneficiary. This will include the following information:
There are sometimes legitimate reasons why a customer may not be able to provide preferred identification such as a passport or driving licence.
Since the purpose of customer identification is not to exclude legitimate customers from having access to financial services, an institution’s identification procedures should therefore include some alternative means of identifying customers to a satisfactory standard.
Particular care needs to be taken with the risk of forged identities, since this is a mechanism known to be used increasingly by terrorists, as well as criminal groups. For example:
Funds transfers of any description should be accompanied by accurate and meaningful originator and beneficiary information – including name, address and account number – and that information should remain with the payment all the way along the payment chain.
Knowing your customer is an ongoing exercise, which means that banks have to put some effort into keeping records up to date – for example if there are material changes in the way an account is run, or in the event of significant transactions being made on the account.
As discussed above, the risk-based approach requires financial institutions to assess the AML and CFT risks attached to different types of customer profile. Similarly, financial institutions need to weigh up the potential for different kinds of product to be misused for criminal activities. For instance, a wire transfer service is a more obvious choice than a 90 days’ notice deposit account in this respect, (though long notice accounts can have their criminal uses too).
For lower-risk categories of customer (e.g. public companies or government enterprises) financial institutions may be able to scale down or simplify the due diligence requirements, for example by requiring fewer details about the business relationship or expected transactions. Nonetheless all customers, even lower-risk ones, should be required to prove and verify who they are. For higher-risk categories, banks should take additional precautions when they carry out customer due diligence. We look more closely at the various types of higher-risk customers, products and services in Chapter 4.
As we have already seen, when intelligence services or regulatory authorities are tracing the evidence trail behind a money laundering or terrorist financing discovery, the availability of customers’ financial records (current and/or historic) can be a significant help in the detection and prosecution of the individuals involved. Moreover, the very fact that records are kept as a matter of course is believed in some cases to deter would-be criminals from their original illicit plans.
FATF Recommendation 11 sets a minimum international standard for the period over which banks and other financial institutions must retain records of the identification data obtained from customers (at least five years beyond the end of the customer relationship) and records of the customers’ transactions (at least five years beyond the date of the transaction). National regulation and institutional policy must therefore enforce this or a higher standard of record keeping. The regulators of any country may, of course, choose to extend the minimum five-year holding period for institutions based in their jurisdiction.
The information retained by banks as a matter of course should include:
STRs are the mainstay of anti-money laundering programmes. They place the onus on financial institutions to spot suspicious or anomalous activities among the daily flood of transactions, and despite the difficulty in detecting financing activity at the front end of the terrorist financing chain, they have their place in countering terrorist financing, too. As FATF puts it:
‘If a financial institution suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity, or are related to terrorist financing, it should ... report promptly its suspicions to the financial intelligence unit.’
Source: www.fatf-gafi.org copyright © FATF/OECD. All rights reserved.
However, a financial institution should, under no circumstances, alert the customers under scrutiny to the fact that their behaviour has been monitored and reported to the authorities.
‘Suspicious activities’ can take numerous forms, but many will share certain broad-brush characteristics. Most obviously, as far as money laundering in particular is concerned, they tend to involve transactions out of step with the usual patterns seen on the account in question. So any complex or unusually large deals, or unusual transactions without any obvious commercial or lawful purpose, should be viewed as potentially suspicious and reported internally and, if appropriate, thereafter to the relevant authorities.
As far as terrorist financing is concerned, a variety of indicators may give cause for concern, ranging from problems with identification documents through to, for example, unusual signing arrangements, evidence of ulterior control by undisclosed parties, and wire transfer activity which shows signs of manipulation or structuring in order to evade reporting requirements or disguise ultimate sources of funds information.
How far does the reporting organisation have to go in its reporting duties? An STR simply comprises of the factual details of a transaction or series of events; there is generally no reason why the reporting bank, insurer or other financial institution should necessarily know anything about what it thinks may be wrong, only that it thinks that something may be wrong. Given that a United States’ Office of the Comptroller of Currency (OCC) guide identified more than 200 predicate crimes for money laundering, of which terrorist funding is just one, anything else would be an unrealistic expectation. In any case, anything more than initial attempts to try to clarify details by asking leading questions of the customer could amount effectively to a tip-off that their account was under scrutiny. Financial institutions’ obligations to report are therefore based on nothing more concrete than suspicions, and once they have filed an STR then any further investigation is generally left in the hands of the authorities, although reporting institutions may cooperate with the authorities in order, for example, to further their investigations and, hopefully, bring about successful prosecutions.
Given the enduring attractions of cash for money laundering or terrorist financing purposes, which in many ways goes against the global trend towards the use of plastic and the electronic movement of money, there is arguably a case for reporting any cash transaction above a certain threshold, on the basis that if everybody does it, such mass data can then be used for the purpose of trend analysis. The FATF Forty Recommendations go no further than suggesting that countries should consider the feasibility and utility of implementing such a regulation. Some jurisdictions have taken this step (including the US, Russia, and the countries of Eastern Europe and the former Soviet Union), but others have not, notably the UK and some other Western European Nations.
For example, the US requires that financial institutions record and report to the authorities any currency or bearer instrument transactions of $10,000 or more as a matter of course, and Australia has a similar A$10,000 threshold. The UK regime is entirely suspicion based, and has no automatic reporting threshold, although KYC procedures are required for one-off transactions above a €15,000 limit. The EU Third Money Laundering Directive extends this to cover other non-financial businesses such as casinos and estate agents, as well as anyone selling goods for which more than €15,000 is paid in cash.
Reporting obligations for transactions involving cash do apply across the board where same-day multiple transactions – known as ‘smurfing’ – occur. This process is used by money launderers as a means of avoiding a designated reporting threshold by breaking up the movement of cash into many smaller transactions. If smurfing is suspected, financial institutions need to report the entire series of transactions to the authorities, even though individually they do not breach any reporting threshold that may exist. Additionally, a single transaction could also be suspected on the grounds that the customer was trying to evade the reporting requirements, if it was for slightly less than the relevant reporting threshold. Again, in such cases the bank should look more closely at the transaction and file a report if it is suspicious.
An important consideration as regards the whole principle of filing reports to the authorities on customer transactions is the concept of what are known in the US as ‘safe harbour’ laws. These are laws that protect financial institutions and their staff from criminal or civil liability arising from the alleged breaking of confidentiality or secrecy laws, provided they report suspicious transactions in good faith; that is, without malice.
All organisations covered by a country’s AML and CFT laws need to set up their own internal policies and procedures to protect themselves against the risk of being criminally exploited in either way. A critical aspect of these internal controls is an independent audit function (whether based within the firm or brought in from outside), which is separate from the AML/CFT compliance function and therefore able to test objectively the adequacy of the overall compliance arrangements.
Equally significant is the requirement for ongoing staff training. Whilst regular training programmes on how to recognise potential money laundering activity and what action to take have become a well-established feature of fully compliant financial institutions, much less attention is paid to the specifics of terrorist financing within the formal financial system. In the words of one (anonymous) senior compliance figure in the EU banking industry: ‘There’s not sufficient focus on terrorist financing generally. Banks should be able to point to specific CFT action that staff should take and training which they have undergone.’
Prior to 9/11, the sanctions lists produced by international or national authorities focused mainly on specific countries or regimes, with the aim of prohibiting fund transfers to the sanctioned country and freezing the assets of the government, businesses and residents; or else they targeted known political figures (e.g. Slobodan Miloševićc). Since that date, the composition of the lists has changed, as thousands of individuals and organisations suspected of having terrorist links have been added to the lists.
Accessing and making effective use of the lists is a challenging operational requirement for all financial institutions. There are many sanctions lists available. The UN produces a broad global list, applicable to all member states, while the EU consolidated list comprises names featuring in the annexes to various EC regulations. In addition, individual countries may have their own domestic sanctions regimes.
For the US financial sector, the sanctions authority is the Office of Foreign Assets Control (OFAC). The OFAC list should include names listed under the UN sanctions regime, but it will not necessarily contain EU sanction targets. Use of the OFAC lists as well as the national and UN sanctions lists is necessary for all foreign financial institutions dealing directly with the US, and for this reason is generally undertaken by all large banks and indeed should be undertaken by any bank undertaking dollar business.
In addition to these formal sanctions lists, from time to time the authorities issue warning lists of names deemed to be a source of concern to those institutions where those people are believed to have accounts, even though there are no legally binding sanctions attached at this stage. The purpose of the warning lists is to enable financial institutions to move immediately to freeze the target assets if or when these names are subsequently added to formal sanctions lists.
Financial institutions are required to run all new accounts of any sort against the current updated versions of the relevant lists, and similarly to screen all existing accounts on a regular basis. Wire transfers should also be screened as a matter of course (see below) to establish that no person or entity whose name appears on a list is the recipient of the funds. It is a key operational responsibility for the AML/CFT Compliance function to decide which lists their organisation must watch and how often. This latter point will be a matter for each firm’s internal policy, and a reflection of its size and character. For instance, a small insurance firm might choose to scan its database monthly, whereas an international bank opening 10,000 to 20,000 new accounts each day would need to scan on a daily basis. Effectively this means that such institutions must have systems and software that can do this for them and there are a multitude of solutions on the market. Use of such systems is not mandatory under the EU Third Directive, although it is required of banks in the US.
Lists should contain any alternative name spellings and aliases used by the suspects in question, but of course it is not possible to conclude that just because someone has a name that features on a sanctions list, that they are the wanted individual. There is a distinction between a ‘name match’, where the organisation has matched the name of an account holder with the name of a target included on a list, and a ‘target match’, where the organisation is satisfied that the account held is that of the actual target of the financial sanctions, that is, the suspected ‘bad guy’.
Full details of any target matches should be reported to the authorities and any affected accounts frozen immediately. However, it has to be said that target matches are a relative rarity. It is more likely that a name on the database will match with an entry on a sanctions list but there will be no conclusive evidence that it is the same person or organisation. In that case it is the financial institution’s job initially to look more closely at the KYC information and customer profile on record, and to assess it against the details available on the list. If it is not possible either to confirm or to clear the customer’s name on the basis of available information the financial institution may be able to seek guidance from the sanctions authorities, but in the meantime it is faced with the intractable problem of how to treat the customer’s account. Given the consequences and penalties of making a mistake, many financial institutions will take the view that they have no choice but to adopt the somewhat brutal policy of blocking an account until they have satisfied themselves that they do indeed only have a name match. They will prefer to deal with the customer’s lawsuit rather than a regulatory enforcement action or a criminal prosecution.
It is in these circumstances that the importance of painstakingly and diligently collected KYC information becomes all too clear, not to mention software programs that can analyse such data against list information and, for example, produce ‘target match’ probability scores.
As well as conducting the screening process on all new accounts, on existing accounts as often as is necessary and on wire transactions and one-off non-customer transactions, financial institutions need to establish and maintain an effective programme to ensure compliance with the sanctions authority in question. This should include:
Other considerations include arrangements for maintaining current sanctions lists and distributing them throughout every subsidiary or branch office, both domestically and overseas.
As well as situations where the available facts are inconclusive, there are also those situations where financial institutions will actually determine, erroneously, that their customer is the person named on the list – the dreaded ‘false positive’ scenario.
In such circumstances it is essential that financial institutions should be capable of demonstrating that even if the outcome was wrong, they followed their full and correct procedure and carried out checks with any other parties involved (e.g. with a remitting bank). It is vital to keep clear records of the decision-making process leading up to any action taken.
As discussed earlier, one of the fundamental tenets of a risk-based approach is that financial institutions should make judgements about the risks of misuse attached to each relationship and should then focus the greater part of their attention in those areas where the greater risks lie. In this regard, specific attention should be paid to the following.
Correspondent accounts may be maintained between banks, for use in making transactions for customers or between themselves. They are overwhelmingly above board, but certain cross-border correspondent arrangements are at risk of misuse by money launderers and terrorist financiers (the assumption being that due diligence and KYC will be dealt with by the respondent bank in the country of origin). Such accounts maintained with banks based in lightly regulated countries are particularly vulnerable, as they may offer a route for people or organisations to access the global financial system while sidestepping more rigorous checks.
As the IMF/World Bank guidance points out, before entering into such a cross-border arrangement, any financial institution should make an assessment of the respondent bank in question, establishing:
The importance of the above cannot be over-emphasised in the training provided to relevant staff. If ‘payable-through accounts’ are to be used, then the financial institution needs to ensure that the respondent bank will verify the identity of its customers and carry out ongoing due diligence on them. More generally, the respective responsibilities of the banks should be established and documented beforehand. Correspondent banking is another area where senior management should take responsibility for approving the business relationship before it actually gets going.
Banks should not set up correspondent banking arrangements with organisations located in certain FATF designated high risk jurisdictions, nor with so-called ‘shell’ banks (banks which are unconnected with any effectively regulated financial system and which are incorporated in a jurisdiction where they have no physical presence or actual staff operations).
There has been a rapid and dramatic expansion in non-face-to-face business as a result of the development of financial information services and product delivery via electronic means, including ATMs, telephone and internet banking. Although there is no inherently greater risk involved in applications received by phone or internet than in, say, applications by post, a combination of other factors typically aggravate the risks involved.
For example, it is possible to make an application instantaneously, at any time and from any location; it is also easier to make multiple fictitious or anonymous applications without any additional risk and with less danger of detection. Physical documents are not typically required as part of the application process, therefore making it relatively easier to apply by using a stolen identity. All these factors increase convenience for criminals or terrorist groups, and correspondingly, the risks to financial institutions. However, FATF leaves it to individual jurisdictions to work out and put in place appropriate regulatory measures for their financial institutions.
The updated guidelines on customer identification provided by the UK’s Joint Money Laundering Steering Group (JMLSG) are an interesting example of the approach being adopted in some quarters. The JMLSG takes the view that:
‘The extent of verification in respect of non face-to-face customers will depend on the nature and characteristics of the product or service requested and the assessed money laundering risk presented by the customer ...
The standard identification requirement (for documentary or electronic approaches) is likely to be sufficient for most situations. If, however, the customer, and/or the product or delivery channel, is assessed to present a higher money laundering or terrorist financing risk – whether because of the nature of the customer, or his business, or its location, or because of the product features available – the firm will need to decide whether it should require additional identity information to be provided, and/or whether to verify additional aspects of identity.
Where the result of the standard verification check gives rise to concern or uncertainty over identity, or other risk considerations apply, so the number of matches that will be required to be reasonably satisfied as to the individual’s identity will increase.’
Source: www.jmlsg.org.uk
The guidance goes on to provide examples of the additional checks that institutions might use to mitigate, in particular, impersonation risk, but leaves it to the institution to determine how and when these will be applied Additional checks could take the form of, for instance (again, depending on the perceived risk presented by the customer), electronic checks as well as documentary evidence, or a written communication to the customer’s verified home address, or requiring a form to be completed and returned by post.
Electronic transfers pose particular concerns for financial authorities and regulatory bodies. FATF’s Recommendation 16 and the Interpretive Note thereto sets out in detail the steps that financial institutions should take when sending money electronically:
Private banking relationships are set up not only by wealthy individuals and Politically Exposed Persons (PEPs) but also by law firms, investment companies, investment advisers and trusts. Particularly with regard to money laundering, private banking is viewed as a potentially high-risk sector of the banking universe for various reasons – not least because of the typical levels of wealth, the complexity and sophistication of financial services available (in particular, so called ‘secrecy’ products), and the number of advisers and intermediaries that may be involved in a client’s financial affairs. Often, too, the very purpose of starting a private banking relationship is to hide wealth and put it out of reach (whether from corrupt authorities, probing journalists or a vengeful spouse) – a process which is just as effective for criminal proceeds as it is for legitimate funds.
On the other hand, private bankers are likely to have more proactive and personal relationships with their client than would be the case in retail banking, and may therefore have additional insights into anomalous account activity. In this regard it is important to remember that the wealthy client issuing execution-only instructions for transfers of funds between various investments and offshore vehicles could just as easily be a terrorist sympathiser and financial donor, as a genuine client, or a criminal money launderer. Because private banking relationships can be so complex, it is also important that there are effective systems in place within each bank to monitor and report suspicious activity, and that this can be done based on a client’s total activities.
Standards for private banking have been largely driven in recent years by the Wolfsberg Group of international banks, which has drawn up a set of best practice guidelines for global private banking. These set out as the basic principle for client acceptance the requirements that banks will accept only those clients whose sources of wealth and funds can be reasonably established as being legitimate, and whose beneficial ownership is clear. It is the responsibility of the individual sponsoring private banker to make sure this is the case and, indeed, to be alert to suspicious activities on an ongoing basis. Importantly, say the Wolfsberg principles: ‘Mere fulfilment of internal review processes does not relieve the private banker of this basic responsibility.’ (www.wolfsberg-principles.com)
In addition, the principles address other key areas, as follows.
Crucially, client identification requirements under Wolfsberg extend beyond the actual named client to the beneficial owners of account assets. The private banker is expected to understand the structure of companies and trusts sufficiently to establish who are the main players involved, and they must make a judgement as to whether to carry out further due diligence on the individuals and companies concerned. Due diligence must include:
References or other corroboration of the details are also required, where this is possible, and it would normally be expected that a client would meet their banker face-to-face before opening the account.
Extra caution is necessary, as would be expected, in cases where a client’s money was sourced in high-risk or lightly regulated countries, or where the client is involved in an area of business known to be susceptible to money laundering activities, or where the client is known to send funds to countries associated with terrorist activity or where the client donates to causes in such countries.
PEPs (who tend to favour the bespoke nature and privacy of private banking arrangements) also require additional due diligence (see below), and senior management must approve any new relationship with a PEP. Suspicious transactions (which may include large cash transactions, any account activity out of line with the customer profile, or ‘pass-through’ transactions) might be identified in a number of ways beyond the usual monitoring of the account. Suspicions might be triggered, for example, through third-party information from the media about a client, meetings with the client, or personal knowledge about factors such as the political situation in the client’s country. The onus, according to Wolfsberg, is on the private banker to keep abreast of the ‘bigger picture’, as well as gaining and maintaining a thorough knowledge of the customer and their situation.
The Wolfsberg Group supplemented its original principles, which focused on money laundering and other financial crimes in relation to private banks, with a further statement on best practice dealing with countering terrorist financing. This highlights the importance of name screening:
‘The proper identification of customers by financial institutions can improve the efficacy of searches against lists of known or suspected terrorists [applicable to that jurisdiction].
To that end, it expands on existing identification, acceptance and due diligence best practice. Banks need to implement name-screening procedures and report any matches to the authorities; in addition they need to look at ways of speeding the retrieval of information about a customer if it is required.’
Source: www.wolfsberg-principles.com
Enhanced KYC policies should be in place for any customers involved in business sectors widely misused by terrorist groups, such as alternative remittance systems. Due diligence should be more extensive and rigorous on new business applications from such customers, and monitoring should be increased on both existing accounts and on those new accounts that meet the acceptance criteria. As a basic principle, banks should limit their business relationships with remittance businesses, exchange houses, bureaux de change and money transfer agents to those which are subject to appropriate AML/CFT regulation.
The Wolfsberg statement recognises that there is little chance that account monitoring will be able to identify individual transactions linked to specific terrorist attacks, but it emphasises the importance of continuing to look for and report suspicious transactions on the grounds that such information could provide leads for intelligence services. In particular, it highlights the need to scrutinise more rigorously the account activities of any customer involved with business sectors known to be a conduit for terrorist funds, and the need for banks to try to spot patterns and trends in terrorist financing.
As well as monitoring the various higher-risk categories of business outlined above, the World Bank/IMF guidelines emphasise the need for financial institutions to be alert, across the spectrum of their customer accounts, to any complex, unusually large transactions, and to unusual patterns of transactions without any obvious lawful purpose.
They are instructed to look more closely at such transactions to establish as far as they can what is going on and why, and to keep a record of their findings. If they cannot obtain the information they want, or if their findings leave them still suspicious, they should consider turning the business away, and if necessary filing an STR.
Just as some kinds of financial services products are more likely than others to be exploited for illicit ends, so financial institutions are also expected to take a view on the likelihood that particular types of customer will pose a higher risk of involvement in criminal activity (including terrorist financing activity), and to adjust their due diligence, KYC and monitoring efforts accordingly.
Among the categories identified by FATF, increased due diligence with regard to money laundering would be expected in the case of accounts for PEPs (senior people in prominent public positions and their families or close associates). Bank staff would be expected to identify the PEP and their sources of wealth and funds; any new account in the PEP’s name would have to be approved at senior management level, and more rigorous monitoring of the account would be required.
However, as the World Bank/IMF notes observe, ‘Actually finding out whether a customer is a PEP is often the biggest challenge for a financial institution.’ There is no official list of world PEPs to consult, for example, though ‘rich lists’ and other compilations are produced and updated commercially.
Another potentially troublesome scenario involves clients introduced to financial institutions by intermediaries or other third parties, when the financial institution itself does not carry out the usual customer due diligence. In such instances, the IMF/World Bank guidance recommends that banks should make sure that the agent who brought the new business is obliged by the relevant regulator in the agent’s home country to perform customer due diligence, that they have in fact collected sufficient information about the customer in question, and that the information can be made available promptly if it is required.
Financial institutions need to be particularly careful when business is introduced to them by an agent based in another country. According to the IMF/World Bank commentary:
‘Several countries ... require that the introducer should be an individual or an institution that is subject to AML controls, is supervised by a regulatory body with responsibility for compliance with AML controls, and is located in a country that complies with FATF standards.’
Source: Schott, P.A. (2003) Reference Guide to Anti-Money Laundering and Combating the Financing of Terrorism, World Bank/IMF, Chapter VI.
WWW
(Note: a film account of a proposed transaction involving these issues can be previewed at http://www.antimoneylaunderingvideos.com/player/offshore_trusts.htm.)
It is most important for financial institutions to be able to identify customers and transactions coming from high-risk parts of the world. They should exercise heightened caution dealing with countries branded by FATF as higher risk in the fight against money laundering and with countries in which there is terrorist-inspired conflict or where those who support such conflicts raise funds. Transactions with such countries are not necessarily prohibited, but they are considered to carry higher risks and should be scrutinised accordingly. Again, if a bank has any doubts that a transaction with such a country is above board, it should think about declining the business and also consider filing an STR under its suspicion-reporting obligations. Additionally, the national security or regulatory authorities may have identified specific jurisdictions as being of particular concern, as may the management of the financial institution itself, if it has effective procedures in place for tracking the release of such information.
Banks and other financial institutions should also bear in mind that as the global marketplace becomes increasingly interconnected, it may become necessary to extend greater due diligence practices to other groups beyond their direct customers, particularly if there are higher-than-average risks attached to the relationship. These groups might include, for example, customer employees, correspondent banks as well as agents and suppliers working for their customers. WWW(Note: a film account of a money laundering scheme involving a high-risk jurisdiction can be previewed at http://www.antimoneylaunderingvideos.com/player/brokerage_accounts.htm.)
Charities and non-profit organisations (NPOs) may be open to abuse by terrorist groups, often by diverting funds originally raised for humanitarian purposes. It is therefore crucial that financial institutions should carry out enhanced due diligence to ensure that they ‘know their charity’.
Senior management should approve any new relationship, and should bear in mind that there could be high risk attached to the business. A bank representative should visit the charity premises, meet the leaders and prepare a report on the visit, including such details as:
Financial institutions with charitable or NPO customers also need to monitor their accounts closely, and to be aware of potential red flags, such as the following:
Voluntary best practice guidance for charities issued by the US Department of the Treasury is also worth mentioning. This guidance includes a section on financial accountability and practices which may impact on charities’ dealings with financial institutions holding their accounts, at least insofar as it shapes the typical NPO account activities and profile that a bank with charitable accounts might expect to see. These guidelines state that:
IT systems can be expensive and AML/CFT systems are no exception. Particularly in an emerging markets environment where valuable corporate money is already being spent on policies, procedures, personnel and training, the temptation may be to skimp on systems expenditure. This is a mistake. It is almost impossible to comply with international best practice unless you have some minimum capability to do certain key things and systems are now effectively an essential part of your organisation’s capability to do this. Set out below are different types of systems plus their capabilities and ideas on how Compliance departments can get ‘smart’ information on constrained budgets.
These are systems that will screen the names of customers against regularly updated lists of prohibited persons, in order to comply with the international requirements referred to earlier. There are various subscription products such as World-check and Thomson Reuters to which financial organisations subscribe. Names of proposed customers are input to the system, either manually or automatically (see ‘Combined systems’ later on) and the system then compares the name with a composite list of various proscribed persons, typically drawn from the United Nations list, the US OFAC (Office of Foreign Asset Control) list and any national list in force in the country where the financial organisation is located. If there is a name match the system produces a report which can then be investigated in the manner described earlier. Such systems are also used for determining whether or not a customer is a PEP, and hence whether enhanced due diligence should apply to them. They are also used by financial institutions to sweep the entire customer base periodically to check that existing customers have not become either proscribed or politically exposed during the interim period.
The function of these types of systems is to detect transaction patterns or individual transactions which are unusual. Information describing expected account habits is input into the system at the start of the relationship. Categories of information typically cover such items as expected account turnover, expected largest single payment, expected largest cash payment, identities of major customers and suppliers and their banks and countries of operation, expected highest monthly balance, etc. This information is obtained from the customers themselves. The system then monitors the accounts for transactions or patterns of transactions which fall outside the expected profile contained within the system, and produces an exception report if there is a variance above a given range, which can be specified by those running the system (e.g. exception reports to be produced at variances greater than 30 per cent, 40 per cent, 50 per cent, etc.). In practical terms, the challenge for Compliance Officers is always the same; namely, to set the variance levels at rates which are not so high as to produce no exception reports at all, and yet which are not so low as to produce hundreds or even thousands of reports, which then have no prospect of being analysed for potential suspicious activity, as described in the example below
In the first decade of the twenty-first century, many US financial firms faced fines and regulatory sanctions from the Federal Reserve Bank and other regulators for failing to implement transaction monitoring systems correctly. It had become a requirement that banks should implement such systems, but a problem was that having done so, the banks were not prepared in terms of staffing and skill sets to analyse the exception reports produced by the systems. In one instance, a reputable international bank’s New York office had installed a transaction monitoring system which was producing many hundreds of exception reports. However, only one person was available to review and analyse the reports and that person had many other responsibilities.
It follows that such systems can also be used for the purposes of mandatory reporting, should regulations require it. The mandatory reporting thresholds or transaction descriptions are input into the system, which then recognises transactions above the thresholds that then need to be reported to the national financial intelligence unit, whether manually or automatically, direct from system to system.
Beyond the more simple, rule-based systems described above, it is possible to purchase so called ‘intelligent’ systems that use ‘fuzzy logic’ and databases drawn from very wide pools of customer data to predict account behaviour patterns for certain classes of customer. For example, in circumstances where transactions have occurred on an account which do not fall outside the set parameters within the rule-based system (and which, hence, will not produce an exception report) an intelligent system will be able to detect that, nevertheless, whatever the customer has told you to expect, this particular transaction pattern is unusual for other customers of that type.
The largest institutions will have global systems which combine all the different capabilities described above in one all-encompassing package which is linked to the organisation’s main banking system and which has been specifically tailored to the organisation’s own anti-money laundering policy. These combined systems can cost upwards of $20 million to $30 million and provide a complete system solution for client screening, blacklist checks, new customer acceptance, transaction monitoring, mandatory reporting, exception reporting, records retrieval, transaction blocking and account freezing.
Figure 3.2 shows an intelligent transaction monitoring system. Figure 3.3 shows a processed flow for a combined system capable of accepting or rejecting new clients and allocating different intensities of monitoring activity in accordance with a risk-based approach.
Spending many millions of dollars on AML/CFT systems may still be well outside the budgetary constraints of many emerging markets’ financial institutions. This means, therefore, that AML/CFT Compliance Officers in those countries must often seek to do the best they can with what is available, identifying the highest-risk areas and concentrating on those whilst also seeking and fighting for additional resources at opportune times.
Probably the highest-risk area in the current environment is that of proscribed persons – the terrorist lists. As a financial institution grows it becomes increasingly difficult to accomplish name screening effectively without a system and this is, therefore, the essential place to start. A simple, limited user subscription to one of the available databases will provide a level of protection against taking on or retaining clients on proscribed lists and will also assist in identifying potentially higher-risk clients such as PEPs.
If the organisation’s core banking system is already handling mandatory reporting requirements, then a discussion with the IT department ought to enable a Compliance Officer to access additional information which is relevant. For example, again using a risk-based approach, it ought to be possible for a Compliance Officer to data-mine the core banking system for the following types of relevant information:
By accessing such information from the organisation’s core banking system, a Compliance Officer can also learn a lot about the money laundering and terrorist financing risk profile which the various businesses are assuming in practice.
Training is an essential component of the Compliance Officer’s role. Unfortunately it is also something that tends to be ignored when more pressing operational requirements weigh in upon the Compliance Officer. Such an outcome should be avoided at all costs since not only is training a regulatory requirement in most countries, it also helps to generate the culture of awareness amongst staff which is such an important part of the organisation’s overall AML/CFT effort. It is unlikely that you will be able to train everybody in everything which they need to be trained in, immediately. It is more likely that, with limited resources, you will have to prioritise. In order to prioritise you need to be able to assess the most important requirements and then select accordingly. To do this, you will need to conduct a Training Needs Analysis (TNA).
What is a TNA? It is a simple, logical system used by training and development professionals to enable training needs to be established within an organisation and thereafter to set priorities. The processes are outlined below:
The first stage of a TNA is to work out what training has already been done in the organisation within a given period (e.g. the past two years). Relevant questions are:
For example, look at the information on previous training provision across business and job functions shown in Figure 3.4.
Of all the jobs listed across the businesses shown in Figure 3.4, you might find that the only training which has been done is for account opening staff and bank tellers; those dealing with account opening documentation requirements and mandatory cash reporting thresholds, respectively. This would mean that no other training had been provided for any of the other job descriptions.
Having worked out what training has been done and for whom, it is now necessary to establish what training needs to be done going forward. This entails a degree of enquiry by the Compliance Officer. What training is required by the law of the country? Have there been any poor internal or external inspection reports within specific business areas which are indicative of a training need?
Figure 3.4 Previous training provision
Are there any upcoming reviews or inspections (e.g. a central bank inspection or a review by a US or EU correspondent bank)? Are there any particular business risks which have raised their profiles recently? Does the organisation’s own AML policy require certain types of training, and if so in what? Have there been any disasters or ‘near misses’, indicating that further training needs to happen (e.g. nearly opening an account for someone on a terrorist list)?
Having worked out what training has already been done and having established what training needs to be done, the Compliance Officer should now be in a position to map the existing provision against the current and future needs in order to arrive at a list of training requirements. But this on its own will not be enough. Unless the Compliance Officer is blessed with enormous resources, there will simply not be the time, people or money to achieve everything which needs to be achieved straight away. Therefore, the Compliance Officer will need to prioritise and create a training schedule accordingly. Here, it is better to be realistic rather than over ambitious, and it is absolutely necessary to have very clear training objectives with ‘do by’ dates attached to them. For example, referring back to the example box above, the Compliance Officer in that organisation might decide that they need to address the most basic requirements first, whilst also ensuring that their current highest business risk is also covered. They might therefore decide on the following training prioritisation:
By 30 June 2012:
This is a risk-based approach to AML/CFT compliance training. It demonstrates to regulators, potential overseas correspondents and stakeholders generally that the AML/CFT Compliance function is organising its training carefully, thinking about the issues and creating prioritised training to address the key risks. Training to address less-important perceived risks can then follow. The important thing is for the Compliance Officer to be able to show not only that they are undertaking training, but also that they are targeting the training efforts to make them as effective as possible when matched against the risks which the organisation is confronting.
There is a temptation to think that training only counts if it is people sitting in a classroom listening to a person (e.g. the compliance officer) talking and showing slides. This is too narrow an interpretation of the activity. The wider phrase ‘training and communications’ encompasses any method used to convey knowledge, teach new skills, change attitudes and encourage staff to do what is required.
Beyond classroom training, an organisation’s AML CFT training programme is limited only by resources and need. Below are some of the other methods that can be deployed:
Sometimes organisations may not just wish to train their staff, but to prove to the outside world that those staff have achieved a certain standard of knowledge and competence. They may therefore wish to obtain independent accreditation for the learning achieved with a certificate that counts as more than a certificate of attendance, typically after the passing of some exam.
The largest global financial institutions will tend to adopt a blended approach to AML/CFT training, mixing classroom with distance learning techniques (techniques in which the learner is not physically present with the teacher in a classroom). E-learning tends to play an important role, given the need to train large numbers of people in the same way across vast distances. Such systems will often have self-certification built in, i.e. the user takes a test and if successful, the system produces a certificate confirming that they have passed the test, which is then centrally recorded by the system. Systems of this type can also be constructed as a series of discrete ‘chapters’ or ‘modules’ which are relevant to different people in different businesses and/or in different countries and using different languages. The most advanced systems are sophisticated in this respect and consequently quite expensive, although the per person training cost over time can be greatly reduced. An example is shown in Figure 3.5.
To many Compliance Officers, the idea of training staff in CFT is a difficult concept to grasp. After all, what on earth can you train people on? Everybody knows by now that, without a tip-off from the security services, terrorist financing is all but impossible to detect. Not much can enhance an organisation’s capability to detect sub-$10,000 transactions when they are within the normal transactional range on the account or relationship in question, and when there are no other features marking them out as ‘suspicious’. Tie this in with other known truths concerning source of funds or source of wealth (which are not necessarily criminal where terrorist financing is concerned) and the need to keep records readily available for when the security services come calling (essential), and, so the argument goes, training on CFT can be confined to the following points, inserted succinctly at a time or place of your choosing within an existing AML programme:
If the above is essentially what your CFT training says – and if that is pretty much all it says – then you could be selling the risk short within the overall context of your AML or wider financial crime training programme. Why? First, because training on CFT should take place within the context of a discussion about terrorist financing, not one on money laundering. Though they share many of the same characteristics, the two are essentially different activities undertaken by different people for very different purposes. A failure to recognise this and provide appropriate treatment to terrorist financing within the overall AML/CFT programme risks a charge that you have conducted ‘by-the-way’ training (as in ‘Oh, and by the way...’) and failed to educate staff at a basic level.
Secondly, suspicion recognition training for terrorist financing isn’t the total non-starter which it may at first seem, especially if you distinguish between the financing of terrorist movements generally (what we may refer to as Type I terrorist financing) and the funding of individual attacks (Type II). It is of course true that, given the relatively modest amounts required to fund individual attacks, systems and people are unlikely to detect specific funds and fund movements earmarked for those attacks. But fund-raising activities further back up the chain have detectable characteristics that staff need to be made aware of so that they can identify them and take appropriate action. This will become even more relevant now that FATF is expanding its remit to include proliferation (of WMD) financing and the various typologies associated with it.
Thirdly, whilst some might say that a good ‘test question’ for the CFT elements of the overall AML/CFT training programme should be ‘Are there any suspicion indicators that are exclusive to terrorist financing which staff wouldn’t otherwise be aware of from the AML part of the programme?’, this is too restrictive an approach and moreover is definitely not the approach which would have been adopted had money laundering and terrorist financing both arrived as issues on the financial services scene at the same time (instead of money laundering coming along first.) Rather, what organisations should be doing for both subjects is providing ongoing training which, apart from the legal basics, is rich in case study, example and explanation, and which over time, enables the relevant workforce to construct internal reference frameworks for a wide range of situations and their potential causes; situations which they can compare with events and information that they encounter in their daily work. A workforce that has been educated in this way will be familiar with the underlying methodologies, preferences and structures of both non-terrorist and terrorist criminal groups and is likely to offer the organisation better levels of overall AML/CFT compliance and protection.
As with anything else, training should be geared around the risks that the organisation faces. If you are concerned that your existing training programme may not be hitting the mark as far as CFT is concerned, perhaps because it had been inserted by a predecessor as an ‘add on’ to an existing (and maybe longstanding) AML training programme, or because you do not think that it is detailed enough, then you should conduct a training review. Not only will this help you frame the relevant programme content, it will also help demonstrate that your training has been constructed intelligently, and not just thrown together to tick a box on an internal auditor’s checklist.
A training review is, in essence, no different from a Training Needs Analysis (TNA) in that its purpose is to assess actual versus required training provision, to link training needs to specific individuals (e.g. on a role or business basis) and to set priorities. Remember, the basic structure of a TNA is designed to answer a series of questions about your organisation’s training, and to plan further training accordingly:
Ideally, the training review should occur as an integral part of the wider, regular business risk review, although if it has been omitted from that process it should still be undertaken. The training plan should, of course, be specific about who is going to be trained, what the training will cover and the desired outcomes (e.g. enhanced awareness of use of wire transfer networks by payments staff; or enhanced awareness of use of opaque structures and agent-consultants by corporate and private banking relationship managers, etc.).
Based upon the results of the exercise described above, different organisations will end up with different ideas about how best to segment the various potential content combinations, but it is possible to conceive of the following type of structure, accommodated as an integral yet distinct element within the wider AML training framework.
The foundation elements of the CFT training programme would deal with the core issues of general relevance to most people who have been assessed as requiring AML/CFT training. These issues would encompass areas such as:
The additional elements of the CFT programme would contain more detailed information relevant to front line, customer-facing, operations and managerial staff designed to raise their awareness of how terrorist financing is conducted and would encompass items such as:
The specialist/specific elements of the CFT programme would contain items of specific operational relevance to particular sections of staff conducting certain activities relevant to some important aspects of CFT operations, such as:
Taking such a structure as a starting point, it ought to be possible to construct powerful combinations of training that would be relevant to particular business units or job types. During the course of either a training review or a wider CFT business risk assessment, AML/CFT Compliance officers may find that certain combinations suggest themselves, which can then be incorporated as distinct elements within the overall programme.
However such a programme is constructed, gone should be the days when CFT is the ‘by the way’ item at the end of your AML training.
The Compliance Officer performs one of the most critical risk control functions within the organisation – namely the safe and effective management of the analysis and reporting of unusual and/or suspicious transactions to the national authorities. They also have additional responsibilities which require a real understanding of and empathy for the businesses they serve.
Compliance Officers must approach their duties from the perspective of a commercial banker committed to the commercial success of the organisation, combined, however, with an essential objectivity and a deep commitment to preventing the use of the bank’s services by criminals, and to cooperating with the national authorities in the successful investigation of actual or attempted instances of money laundering. Each of these perspectives in the overall approach is as important as the other.
Compliance Officers need to remain sensitive to the commercial objectives of the organisation, otherwise they risk creating unnecessary and counter-productive friction with the businesses they serve. They must remember that the organisation’s objectives are primarily concerned with the provision of excellent services to customers at a profit. There is no legal duty on the bank to become a detective in the prevention and detection of crime, nor to marginalise its own commercial objectives in the fight against crime. Forgetting – or even appearing to forget – these realities, makes the Compliance Officer appear detached from the business, and reduces their credibility and effectiveness. Compliance Officers can demonstrate their alignment with business objectives by:
In doing so, Compliance Officers are likely to learn more about the various businesses within the organisation, and thus enhance their ability to make judgements on reported transactions. In particular, the objective of any investigation is always to decide whether a transaction is suspicious and whether it has to be reported, not to prove that the Compliance Officer’s initial ‘gut instinct’ is always correct, in all circumstances.
Equally, Compliance Officers must be wary of accepting explanations for transactions from business managers or customers which are unconvincing and which will not withstand detailed scrutiny. They must have the strength of character and the determination to challenge such explanations, and to dig deeper in search of the truth. At times, Compliance Officers may find themselves subjected to great pressure – particularly where a customer is a good source of revenue for the organisation – to adopt a less searching attitude towards that customer’s transactions. They must resist such pressure, retaining the essential objectivity and independence which is so essential for their role.
In conjunction with the CEO, Compliance Officers should do their utmost to ensure that businesses and business managers adopt due responsibility for assessing the suitability of customers and proposed account purposes at the time when accounts are opened, discussing any uncertainties with the Compliance Officer before account opening takes place. Otherwise, a mentality can develop in which businesses see their role solely in terms of bringing business into the bank and maximising revenue from the account, rather than accepting a joint responsibility with risk functions such as the Compliance Officer for the overall quality of the bank’s business. Disengagement by businesses from this task can result in a wastage of resources as Compliance officers spend their time investigating transactions that should have been refused upfront. In the worst cases, the reputation of the bank is placed at risk as suspect business which should have been prevented at source is allowed into the bank.
For audit purposes the Compliance Officer should adopt effective procedures for the management of internal reporting of suspicious and/or unusual transactions. Three files should be maintained:
File 1 is the ongoing operational file containing reports that have been made by the businesses and that are being investigated prior to a decision being made on whether they warrant the filing of an external report. Following the making of a decision on external reporting, File 2 is the repository file for those cases in which the Compliance Officer decides that the transactions in question are not suspicious, and that no external report is required. File 3 is the file containing those cases in which reports are filed with the relevant authorities.
In each case following the making of a report by a member of staff, a written record must be kept of the further investigations conducted by the Compliance Officer and of the reasons behind the decision either to report externally or not to report, as the case may be. The purpose of this system is to achieve full, auditable transparency regarding the reporting and decision-making process. It is particularly important that the reasons for any decision not to report a case to the relevant authorities are clear and fully documented, so as to avoid any justifiable criticism of the organisation’s actions in not filing such a report.
Compliance Officers should periodically remind staff about the importance of reporting unusual or suspicious transactions, and should take steps to facilitate such reporting, such as the provision of standard suspicious transaction reporting forms.
Once a report has been filed by a staff member, the procedure for the investigation and subsequent reporting and filing is as shown in Figure 3.6.
For cases in which a decision to report is made, the report itself should be submitted to the relevant authority in the format (if any) prescribed by such authority, and a copy of it retained in File 3 ‘Suspicious Transactions – Reports Made to Authorities’. A copy of the report should also be sent to the CEO and the customer’s file should be removed from the 5 year document destruction cycle, so as to prevent key historic transactional information being automatically destroyed.
Complete records of investigations leading to a decision (whether to report or not to report) must be maintained, including details of:
Figure 3.6 STR investigation process
Full correspondence records with the relevant authorities and with any other parties must be maintained following the filing of a report, along with clear records of any actions taken or permitted.
Full cooperation must be extended to the relevant authorities in relation to any investigation which they make into the reported case, including, but not limited to:
The critical factor in deciding whether or not an external report is required is whether or not the transaction or transactions brought to the Compliance Officer’s attention are ‘suspicious’. No definition of ‘suspicious’ can be exhaustive. In its normal everyday context the word means ‘mistrust – the imagining of something but without proof’ and compliance officers are expected to use judgement and experience in deciding whether a transaction is suspicious or not, taking into account all the circumstances of the case. Specifically in a money laundering context, however, transactions are likely to be suspicious:
where there appears to be no convincing explanation for them, and
where:
The purpose of any initial investigation into a matter which has been reported internally is not to prove or disprove conclusively whether a suspicion is justified. Rather, it is to establish that there are no known facts that contradict the suspicion which has been raised, or which otherwise suggest that the fears about the customer or transaction are groundless.
Chapter 6 explores the concept of suspicion in greater depth, with the use of a wide range of examples.