CHAPTER 5

Money Laundering Deterrence : The Challenge of Applying a Risk-Based Approach

David Blackmore

MHA

Introduction

The UK anti-money-laundering (AML) regime currently in place is and will remain a challenge for all concerned. There are no guarantees it will succeed in its declared objective of deterring, even reducing, money laundering and terrorist financing. This truly is at the very sharp end of the risk matrix for firms, regulators, customers, and UK plc.

It is important not to overlook the fact that the legislative framework in the UK is one of the most draconian anywhere in the world’s developed economies. The combined provisions of the Proceeds of Crime Act, the Serious Organised Crime and Police Act and the Terrorism Acts, together with the Money Laundering Regulations, represent an awesome battery of investigative, information-gathering, and confiscatory powers in the hands of law enforcement and the regulator, principally the FSA, to confront money laundering and terrorist financing.

The penalties for noncompliance, particularly the “objective test” by which the authorities have all the benefit of 20/20 hindsight with which to allege a failure to make or pass on suspicious activity reports (SARs) to the authorities, are very severe. They carry material risks for all individuals in the financial and regulated sectors, quite apart from the operational and reputational risks for the firms involved. From the regulator’s standpoint, the FSA must operate under the Financial Services and Markets Act (FSMA) 2000 with its statutory objective of financial crime reduction and its own powers as a prosecutor of alleged money laundering offences. Coupled with its “Approved Person” regime and the ability to bar individuals from the industry, this, too, represents a formidable array of powers.

Against this unchanged background, the FSA clearly sees the move to a risk-based approach (RBA) as offering a new chapter in the UK’s AML regime. At a conference early in 2006, the FSA’s Financial Crime Sector Leader, Philip Robinson, made it clear that the regulator now wants to see resources directed at areas of “greater real risk, where the intelligence says the threat really lies.”1 Hitherto, the focus internationally has been on “inputs rather than on outputs.” The FSA will henceforth make use of economic theory models, including market failure and cost-benefit analysis, to monitor the effect of its work “to shift the supply curves in the fundamental criminal markets that produce the dirty money in the first place.”2

In parallel with the changes to the FSA’s rules through the abolition of its ML Sourcebook and the transposition of its key parts plus new additions to its SYSC (Systems and Controls) Handbook, comes an industry initiative via the Joint Money Laundering Steering Group (JMLSG). The JMLSG, a limited company owned by the major trade associations in the finance industry, has issued revised Guidance that replaces the previous Guidance Notes. This, too, takes an RBA and, for the first time, both organizations have moved from greater prescription to greater reliance on principles and guidance, albeit with minimum standards in key areas such as verification of client identification (ID & V) and “know your customer” (KYC).

Thus, while the UK continues to use a parallel framework for AML and counterterrorist financing (CTF), its practical implementation is in the process of radical change. The drivers for this process have been as follows.

• The “one-size-fits-all” policy has not delivered the output required in terms of useable intelligence and reports leading to convictions. It was perceived as inherently wasteful.
• Firms have incurred huge costs in trying to make it work. The focus was on avoiding regulatory risk rather than on reducing financial crime. Consequently, large numbers of honest customers became very irritated. Hence, consumer complaints of overzealousness, inflexibility, and counter-­productive procedures by firms rocketed.
• Vigorous enforcement by the FSA, which has fueled both the “fear factor” in firms and the complaints by customers, creating an ever-decreasing circle of ineffectiveness. Coupled with the well-documented drawbacks in the SARs regime, policy-makers in both the public and private sectors have accepted the necessity of change.

We shall now examine the UK regime in greater depth, to be followed by an analysis of the principal challenges faced by the major stakeholders.

The UK’s Risk-Based Approach (RBA)

The RBA is predicated on addressing the perceived failings of the past, which, in summary, created a vicious circle of prescription, cost, futility, disillusion, and backlash and which has enveloped all stakeholders.

Key elements in driving the change to the RBA have, therefore, been the revised FSA SYSC rules and the industry’s 2006 Guidance, both “in force” since September 1, 2006. In general, although how risk is managed may vary somewhat depending upon the industry context, there is a basic methodology:

• identify the inherent risks and vulnerabilities;
• assess the risks;
• take steps to mitigate them;
• monitor them; and
• document all that is done.

All this is on a dynamic basis with the results of experience and/or periodic review factored back into the loop. Taking an “holistic” view of all financial crime, that is, money laundering, fraud, market abuse, corruption, and terrorist finance, is a requirement of the FSA’s SYSC rules3 and undoubtedly complicates the process as it cannot be assumed that all risks are the same. However, what is now required can be summarized as follows.

Risk Identification

AML risks, like other risks, are a direct function of a firm’s business ­profile. The firm-unique analysis will involve:

• the sectors of a firm’s operations;
• its actual products and services;
• its customer types;
• the delivery channels used (principally, face-to-face or ­non-face-to-face); and
• the geographical factors of where customers live and where they do their business.

Paragraph 4.1 of the Guidance reminds all that the key factor is ­inherent risk:

Senior management of most firms, whatever business they are in, manages its affairs with regard to the inherent risks in its business and the effectiveness of controls it has put in place to manage these risks. A similar approach is appropriate for managing the risks of a firm being used for money laundering or terrorist financing.4

Risk Assessment

Unlike some other business areas (e.g., credit or market risk), AML risk cannot be quantified with reasonable confidence. Historical experience cannot be used with the same reliance. Currently, AML risks have to be assessed on a more intuitive basis by reference to plain common sense, available typologies (e.g., from the Financial Action Task Force (FATF), the Egmont Group, the Basel Committee, the Serious Organised Crime Agency (SOCA), JMLSG, and others) and what can be gleaned from law enforcement, as discussed later. The JMLSG Guidance offers both general principles and sector-specific content in Parts I and II, respectively. In order to carry out a meaningful risk assessment, a number of questions will need to be asked in the context of where the risk lies. For example, in relation to the customer:

• What is the risk posed by the firm’s customers, for example, complex business ownership structures, “politically exposed persons” (PEPs), and cash-based businesses?
• What risk is posed by a customer’s behavior, for example, lack of commercial rationale or where origins of wealth or source of funds cannot be easily identified?
• How does the way a customer comes to the firm affect the risk, for example, one-off transactions, introduced business or non-face-to-face?
• What risk is posed by the products/services the customer is using? For example, do the products allow third-party payments? Is the product vulnerable to money laundering or is the risk related to the assets/funds placed with or moving through the firm?

Paragraph 4.16 of the JMLSG Guidance advises that many ­customers will, by their nature or what is already known about them, carry a lower money laundering or terrorist financing risk. An example is a customer who is employed, or retired, with a regular source of income from a known employer that supports the activity being undertaken. Paragraph 4.17 advises, however, that the combination of customer and product can adversely affect the money-laundering risk.5

Arguably, the risk assessment is the most important part of the whole approach. It requires firms to “think criminal” and informs management in a stark, sometimes quite brutal way of just how products and services can be misused for criminal purposes. Thus, this assessment influences policies, procedures, handbooks, training strategy, content, and delivery. It also influences the monitoring system(s), both technology-driven and people-based, which will be needed to test the effectiveness of controls and to provide the basis of “reasonable grounds” for suspicions or knowledge which lead to the potential generation of SARs.

Needless to say the assessment, documented and approved at the senior management level,6 will be a sought-after item by both regulators and external auditors, even if it endorses and justifies the status quo. In these circumstances, it must be assumed that if any firm chooses not to take a risk-based approach, the only acceptable alternative would be to treat all products and customers as high risk. Standards and procedures commensurate with high-risk situations would then need to be applied across the board. As the Guidance says, the approach in any given firm “is ultimately a question of judgement by senior management in the context of the risks they consider the firm faces.”7

It is, however, argued that this is not the only consideration. As will be seen later in this chapter, there are new challenges for both firms and regulators that need, over time, to be faced and reconciled.

Risk Mitigation

The whole context is not, of course, new. Most bankers would argue that “this is what we do” in credit, trading, and operations. The key change brought about by the JMLSG Guidance and FSA rules is that the familiar tools must be used in a more targeted and balanced way.

Thus, relatively less weight will be attached to identification documentation. The base requirement for personal ID for “standard” risk has a relatively small threshold—name, plus address or date of birth. This, however, is what must be verified (ID & V) as opposed to further KYC information that may be collected, but only verified at the choice of the firm itself.

This separation is a sea change, which, anecdotal evidence suggests, many firms are struggling with. On the one hand, the possibility of a single ID token, coupled with the acceptability of electronic verification, reliance on (regulated) others and the retention of the “source of funds concession” are welcomed. On the other, the “holistic” approach to financial crime seems to be leading to the retention of at least two ID & V items: one for AML; the other as an additional anti-fraud (especially identity fraud) check.

On the corporate side there seems to be a widespread view that the Guidance ID & V thresholds are too low, particularly for smaller, non-quoted private companies. Typologies suggest, time and again, that these are the vehicles of choice for launderers. The current concern recently voiced both by Companies House and the Federation of Small Businesses8 over concerted attempts to steal company ID seems to bear this out.

It is, therefore, just as well that the JMLSG Guidance recognizes the inherent risk of the risk-based approach. There is a warning that it is not an exact science. Identification of a customer as either high or low risk for AML purposes does not mean that the classification is automatically correct. “Staff therefore need to be vigilant in using their experience and common sense in applying the firm’s risk-based criteria and rules.”9 This, as will be seen, is a major recruitment, retention, training, and awareness challenge.

Risk Monitoring

Earlier in this chapter, the role of monitoring was identified as crucial both for reviewing customer behavior as well as for establishing the effectiveness of the firm’s regime overall. Thus, a firm’s monitoring structure needs to be dynamic, that is, the firm has to be systematically alert to both external and internal changes in its AML risk profile that in turn require changes to its risk-mitigation strategies. This is particularly important where new products and services are concerned, or where a firm enters into or withdraws from a particular market or sector. Criminals and terrorists do not stand still either—the launderers, the sources of criminal assets and laundering techniques will also change continually.

Aspects that make up a monitoring regime will therefore include:

• appropriate procedures to identify changes in customer characteristics that come to light in the normal course of business;
• reviewing ways in which different products and services may be used for money laundering or terrorist financing purposes and how these ways may change;
• adequacy of staff training and awareness;
• monitoring/compliance arrangements;
• the balance between technology-based and people-based systems;
• capturing appropriate management information;
• upward reporting and accountability;
• effectiveness of liaison with other parts of the firm; and
• effectiveness of the liaison with regulatory and law ­enforcement agencies.10

Documentation

Given that risk-based AML is dynamic, systematic, and rational, an ever-greater importance may now be attached to recording what is done and why. The linkage between the ML Regulations, FSA rules, and JMLSG Guidance 2006 mean that documentation forming the basis for the risk assessment should enable the firm to demonstrate to the regulator and/or a court of law:

• How it assesses the threats/risks of being used in connection with money laundering or terrorist financing;
• How it agrees and implements the appropriate systems and procedures, including due diligence requirements, in the light of its risk assessment;
• How it monitors and, as necessary, improves the effectiveness of its systems and procedures; and
• The arrangements for reporting to senior management on the operation of its control processes.11

Therein lie a number of challenges to all firms covered by the ML Regulations. Some have been alluded to in the course of describing the key elements of an RBA. It would now be appropriate to analyze the key challenges and how, thus far, firms are dealing with them. They can be summarized as:

• The philosophical challenge;
• The cultural challenge;
• The management challenge;
• The regulatory and reputational challenge; and
• The global challenge.

The Philosophical Challenge

No one should underestimate the magnitude of the task involved in shifting from conventional to risk-based AML. The latter is a sea change from a one-size-fits-all approach. It involves discriminating between different customers, products, countries, and so on. It may involve more tailored, even quite sophisticated staff training. It involves decision making on the basis of weak data. It requires the use of judgment. All these can look wrong with the benefit of hindsight, increasing both regulatory and reputational risk, particularly as far as the “objective test” under the Proceeds of Crime Act 2002 is concerned.

All the more important, then, that action, decisions, and judgments are documented. There is some increasing evidence that the revival of the simple “file note” is contributing helpfully in many firms.

Whereas the “tick-box approach” suffered from its potential to encourage mindlessness, the RBA demands thoughtfulness, an ability to ask common sense questions and then to review the results under the maxim “does this all make sense?” Allied to that, the RBA involves continuous learning delivered in a way that is relevant to jobs and roles rather than training by rote under the one-size-fits-all banner.

The Cultural Challenge

Essentially, the RBA requires flexibility and the empowerment of a larger and not necessarily only senior cadre of staff. To those firms used to a “top-down” culture, this is proving to be a key challenge that is requiring an educative process going far beyond the AML/financial crime areas. It is seen mostly, but not exclusively, in some of the UK operations of firms domiciled in jurisdictions which themselves have a more authoritarian, less democratic political culture and where the state has an even greater role in the financial sector than in less centralized systems. It is also seen in firms governed with a “directive-led” rather than consultative management style.

Such firms may well take longer to adjust to the changed UK reality. They feel more comfortable with a prescriptive regime and thus the classical approach to AML may seem beguilingly simple and therefore attractive. As has been seen from past FSA enforcement actions since 2001, however, even this approach carries reputational risk. It may well be that the one-size-fits-all approach will necessarily be suitable for some customers and activities but totally unsuitable for others. It will be disproportionately burdensome for lower-risk customers and activities. Some firms are already finding that AML is becoming a competitive issue as customers become more aware of what is now available elsewhere in the marketplace and are voting with their feet.

The Management Challenge

The new regime places significant obligations on senior management, including the MLRO. The MLRO remains “the focal point” for all activity within the firm relating to anti-money laundering.12 Nevertheless, ultimate responsibility is placed squarely upon the shoulders of the governing body or senior management for the establishment and maintenance of effective systems and controls.13

Those managements and boards used to treating AML as a rather inconvenient hindrance to business and as an item to pay little more than lip service to will need fundamentally to reconsider their approach and attitude. Through the allocation of responsibility to a senior manager or board member, the entirety of management is brought closer to responsibility for anti-financial crime. There is no ring-fence between the specified director or senior manager and the rest of the board. The degree of risk to the firm and its controllers/directors is significantly raised and no one will be able to distance themselves from failures or knowing neglect in compliance. Further regulatory risk might arise from failings in AML, leading to deeper enquiries by the regulator into a firm’s controls as a whole. A regulatory time bomb indeed!

Thus, those firms that are already very familiar with the risk-based approach to concepts of market, credit, liquidity, and operational risk and of consumer risk, and that apply the techniques to audit and corporate governance are experiencing less difficulty than those unused to such approaches. There are spin-off benefits to be obtained, too, such as that AML and financial crime controls can be factored into the qualitative measures used to determine capital adequacy under Basel II.

A further dimension to the management challenge revolves around the coordination of all anti-financial-crime measures within a firm particularly when the MLRO-nominated officer (under the ML regulations) or board/senior management member are not the same person. Some firms are grasping the nettle and creating a unified “financial crime department.” Others seem to be sticking to separate fraud, compliance, and AML ­divisions. Such structures could still work, providing effective arrangements for the coordination of effort are demonstrably in place. It would, however, seem that a unified entity offers a better prospect for a proportionate and reasonable approach to dealing with financial crime risks.

Lastly, in the run-up to the JMLSG Guidance launch and in consultation over the FSA’s revised rules, it was heard in some quarters that the whole exercise would save costs by being more efficient, targeted, and rational. While it is probably true to say that even for large, complex firms a risk-based approach may not involve greater net cost, the net effect depends on the firm’s business profile. It would be missing the point to nurture the view that the whole venture is about trimming compliance costs. As Philip Robinson pointed out in May 2006: “A risk-based approach demands a mature, informed and thinking approach by firms. It isn’t an easy option and it’s not necessarily the cheapest; but it’s the best one.”14

The Regulatory and Reputational Challenge

These are deliberately bracketed together if only to point up their close association not only for firms but also for the regulator. It was said ­earlier that AML/financial crime could well become, over time, a competitive issue as there is no longer a level playing field (if ever there was one, ­particularly on an EU or global scale). The new FSA SYSC rules are an acknowledged segment in the FSA’s move to “principles-based regulation.”15 The “fear factor” is, nevertheless, still causing concern in some firms whereby they feel open to FSA challenge and enforcement action on the basis of hindsight and which could be inconsistent and arbitrary, depending on the attitude of individual FSA supervisors and enforcement personnel.

Time will tell just how real or imaginary these concerns will be. The FSA has certainly recognized the risk and acknowledges it too has major challenges in how it supervises, how it uses its enforcement ­powers, and how it works in partnership with industry, law enforcement, and central government.

To be fair, the FSA has on numerous occasions tried to allay these concerns. While expecting much from senior management, the FSA states that it is “not an enforcement-led regulator.”16 Further: “We believe in the risk-based approach, so we realize that things will sometimes go wrong. Zero failure is impossible to achieve . . . if a firm demonstrates that it has put in place an effective system of controls, enforcement action is very unlikely.”17

Even so, it can hardly be overstated that, for firms, the risk-based approach is critically dependent on industry confidence in the way the FSA uses its supervisory (ARROW 2) and enforcement tools.

For firms that do get it wrong, however, or show willful blindness to the risks it faces, the Riggs Bank case is hugely instructive. It demonstrates how a properly instituted, resourced and clear risk-based approach might have mitigated what became a disaster for all concerned:

In the aftermath of Riggs many believed that banking embassies or diplomats was in and of itself high risk. I don’t believe that nor do I believe banking PEPs (politically—exposed persons) is automatically high risk. What is true is that those customers present a potential for higher risk, and it is the job of compliance, management and the Board of Directors to understand what those risk are, how to mitigate them, the costs of mitigation and whether proper risk management is sustainable.18

David B. Caruso, who wrote those words, was the Executive Vice President of Compliance & Security at Riggs Bank from June 2003 until May 2005. Caruso and his staff were hired to address concerns raised by US regulators of the Riggs relationship with a number of high-profile embassy and diplomatic clients.

The Global Challenge

For those firms operating across borders, what happens elsewhere in the world presents another batch of risks, as money laundering and terrorist financing are global problems. A major task for such firms continues to be the coordination of effort over very different markets, jurisdictions, and structures of regulation. Given the priority that governments and intergovernmental bodies such as the UN, FATF, EU, World Bank, and OECD ascribe to countering money laundering and terrorism, it can be expected that the global challenge to firms can only increase in both scope and depth.

A good example is the EU’s 3rd AML Directive, which, like the FATF’s 40 + 9 Recommendations, contains a inbuilt tension between its apparent commitment to a risk-based approach and its explicit presumptions that certain activities are low risk and that others are high risk. It also opens the way for the Commission to develop, as it has, “technical criteria” for such activities. The clear danger is an EU-led reversion to another tick-box, one-size-fits-all model. Much, therefore, depends on how HM Treasury sees fit to implement the Directive in the UK by a revision of the Money Laundering Regulations by December 2007.

Some Tentative Conclusions

Even at this early stage, it is possible to offer some brief indication of how things are shaking down, gleaned mainly from “on-the-ground” experience with firms of all types, with very different business profiles and operating across a variety of sectors, markets, and jurisdictions.

Industry is making a serious attempt at implementing a risk-based approach. As a result of the cultural and philosophical factors described earlier, initial results are patchy but this is not unexpected given the ­magnitude of the attitude change involved. Thinking about money laundering in terms of risk is novel.

Some senior managements have a way to go and are lower on the learning curve than they should be at this stage. Even if they decide not to change their procedures and retain the status quo on ID & V plus KYC, that still needs justifying, documenting, and top-level approval.

Even if these items are in place, attention still needs to be given to the consequential changes to an integrated risk-based anti-financial-crime regime. For example, have the MLRO, internal audit, compliance and risk management managers arrived at a common understanding of “risk” so that the whole regime is, as it were, singing in tune from the same hymn sheet? Has the HR function become fully on-board with the requirements for tailored training and awareness programmes, adjusted job descriptions to reflect who now does what and are appraisal plus remuneration structures attuned to the new approach? If successful, the risk-based approach should motivate through results rather than depress through a sense of futility and sullen acquiescence.

The risk-based approach requires thoughtfulness on the part of all stakeholders. It is a cast of mind, not a static model or purely mechanical process. Experience of other disciplines, which have had this approach for years, has shown that techniques evolve slowly over time with the help of collective experience and applied brainpower.

Thus a pragmatic and open-minded commitment from all stakeholders, but particularly the FSA, is of the first importance. This will not bed down overnight.

Going Forward

In keeping with the dynamic of a risk-based approach, it might be reasonable to foresee some developments that impinge directly on stakeholders, but particularly those regulated firms at the very sharp end of the regime.

Implementation of the EU’s 3rd ML Directive (EU3) will set the tone through new Money Laundering Regulations. If the approach taken by the FSA, the JMLSG, and UK industry is to survive as intended, then it is vital to ensure that the Treasury’s Consultation Draft Regulations Paper19 is read and responded to in order to defend firms’ ability to judge for themselves where their risks lie. Gold-plating by the UK should be resisted if it does not add clarity and value to the risk-based approach.

Similarly, an active response from industry is needed to the Home Office’s Serious Crime Bill 2007, following its consultation on proposed new powers against “organized and financial crime.”20 This begins to address the significant legal and reputational risks which firms are experiencing constantly as a result of the clear failings and deficiencies of the “consent” regime contained in the Proceeds of Crime Act 2002, as amended by the Serious Organised Crime and Police Act 2005.

Further development of what has become known as the “partnership approach,” so as to upgrade the contribution of the public sector to that already made and which continues to be made by industry in systems, training, and the operation of the SARs regime. Effectiveness of the risk-based approach will not be maximized without informed and systematic alertness on the part of the private sector and a clear recognition by all public sector bodies of the value they can gain from providing the private sector with the fruits of well-resourced intelligence.

Both SOCPA and the FSA recognize this and are very publicly committed to making it a reality. The government machine must become an active information sharer and get “worked-up typologies to the industry a lot faster to help them inform their risk mitigation strategies.”21 Partnerships are two-way relationships and it is by no means clear at this point that all in the government sector have appreciated this fact.

This, in turn, will crucially underpin and reinforce trust and cooperation between law enforcement, regulators, and the private sector. The benefits from the relationships forged in the heat of terrorist-related incidents and alerts are becoming more widely appreciated. Siloed working in both the public and private sectors must therefore be reduced wherever and whenever possible to maximize the outcomes that all desire from the risk-based approach.

We now at last have the 5th EU money laundering directive. Whereas the 4th directive made limited impact in the UK since it replicated much of the regime we already had in place, the 5th directive is something more. Not only does it provide greater guidance on expectations for enhanced due diligence, but it also addresses emerging issues in areas such as cybercurrencies and blockchain. Indeed, the emergence of these new payments media has changed the money laundering roadmap significantly and raised a series of concerns. By regulating the exchanges as well as the interaction with the banking economy it is clear that this part of the industry can also be bought into the mainstream, although this has to be at the expense of anonymity.

---