CHAPTER 11
RISK MANAGEMENT AND MONEY-LAUNDERING DETERRENCE

11.1 THE RISKS WITHIN MONEY-LAUNDERING DETERRENCE

Financial crime represents a major source of risk to a firm and always has a high priority with both regulators and the board. This means that it is important for money-laundering deterrence and terrorist-financing avoidance to be included within any enterprise risk-management framework. It also requires major control and management programmes to be implemented effectively. At the heart of a successful enterprise risk-management programme are the key concepts of risk identification and risk appetite. In the case of financial crime deterrence, a key control must be effective training together with the Know Your Customer processes and procedures, as discussed in earlier chapters and reiterated later here.

A firm faces a series of risks when considering financial crime deterrence programmes and policies. Some of these follow from the nature of the illegal events themselves and others from the way that the firm deals with these events in practice. The risk management of financial crime deterrence comprises several layers of control that always need to be present within the daily operations of the firm. Firms also need to have the governance structures in place to ensure that prompt and effective action is taken when a case requiring either investigation or reporting is identified.

It is imperative that firms constantly review their corporate structures to see that their chosen approach to risk management of money-laundering deterrence remains appropriate, is consistent with local and international rules and regulations and accords with their business models.

Certain types of business which might be considered to be of higher risk will warrant a greater level of risk management control than would be the case for other businesses. Examples of high-risk businesses would be ones that regularly receive funds from individuals in what might be considered to be higher risk jurisdictions, ones that accept significant levels of cash or ones that only deal with their customers remotely. Each of these types of business would require a level of enhanced due diligence and additional, ongoing monitoring to be conducted.

According to the then UK regulator, the FSA, in June 2012, some of the most common problems being experienced by firms are:

  • Failure to identify PEP accounts;
  • Failure to conduct enhanced due diligence on high-risk accounts;
  • Inadequate challenge from relevant staff when high-risk factors are clearly apparent; and
  • The firm continuing to accept customers or continuing relationships when serious allegations about criminal activity have not been considered properly.

The requirement for staff to have a detailed understanding of their roles and obligations within a financial crime deterrence regime operates at all levels of the business, from the doorman to the Chairman. It also needs to take into account outsourced service providers, contractors and temporary staff. A well-equipped financial crime deterrence team will include senior management that possesses the necessary expertise to enable it to be authoritative in the implementation of a risk-based approach to money-laundering deterrence.

It is, however, a fallacy for any firm to believe that any level of monitoring will result in the risks relating to financial crime being totally eradicated. What a firm is seeking to do is to minimise the risks using a risk-based approach and to have the policies and procedures in place that meet the expectations of the regulator, market and society to act as a defence if risks actually crystallise.

The key risks that apply in this case might be categorised as follows:

  • Regulatory risk
  • Reputational risk
  • Operational risk.

11.1.1 Regulatory Risk

Regulatory risk is generally part of operational risk, as set out within the Basel Accord as promulgated by the Bank for International Settlements, which we shall consider later in this chapter. However, it is generally managed separately, although often the ownership of this risk is unclear. It may seem appropriate for the Money Laundering Reporting Officer to own regulatory risk for financial crime deterrence. That would make that person responsible for ensuring that the firm has the policies and procedures in place to meet the expectations and demands of local regulators, and also those of international regulators where relevant.

What the MLRO cannot be made responsible for is any case of money laundering or terrorist financing that is actually found in practice. Their role is to ensure that the staff is trained and the procedures required by the local jurisdiction are implemented, including the investigation and reporting of complaints. This will, however, not entirely stop the firm being used by money launderers, due to the complexity and sophistication of the techniques applied which override banking controls. However, it may serve to reduce the incidence or severity of illegal activity.

In terms of the management of regulatory risk, it will be important for the firm to have access to the necessary lists and reports which highlight high-risk or inappropriate customers, including sanctions and politically exposed person (PEP) lists. Senior management will want to know that these lists have been received and promptly acted upon by the relevant bank officials.

There will also need to be a system to ensure that changes in applicable rules and regulations are identified promptly, and necessary changes to policies and operating procedures implemented. It may well be that the person responsible for regulatory risk may only provide the guidance to others who are then responsible for the implementation of necessary changes, but such delegation of responsibility does not come without an element of risk. We would always recommend that the person with the regulatory responsibility undertakes such monitoring as they consider to be adequate to ensure that necessary changes are made and tested prior to final implementation. They may also require an element of ongoing monitoring to be conducted together with commensurate reporting.

One additional matter that needs to be considered is whether any of the regulations actually operate extraterritorially and also how they are impacted by data secrecy laws applying in another jurisdiction. While it is an objective for data secrecy rules not to impede investigations, it is still worth checking what the actual position is in a jurisdiction and taking appropriate local legal guidance where necessary.

11.1.2 Reputational Risk

For any institution, maintenance of its reputation is central to long-term success. Without a reputation, a firm is really nothing, since there is little that one bank could do that another could not easily copy.

A significant failure to protect itself from dealing with unscrupulous individuals or companies can significantly impact the reputation of a firm. Indeed, as we shall see, even failing to maintain adequate operational controls can cause reputational impact. Ownership of reputational risk within a bank is often unclear and it is rarely identified as a separate risk class, since its occurrence is generally the consequence of the occurrence of another risk. However, this does not need to be the case, since a rumour concerning the nature of the customer environment of a bank can be created by anyone using electronic media, and this has the potential to severely impact reputation.

The recent case involving HSBC in December 2012 clearly highlights the importance of the issue. In a press release, HSBC confirmed that it will pay US authorities $1.9 billion in a settlement over money-laundering failures. In a statement, HSBC admitted having poor money-laundering controls.

The bank said it had subsequently spent $290 million on improving its systems to prevent money laundering and clawed back some bonuses paid to senior executives in the past.

The relevant US Senate report was heavily critical of HSBC's money-laundering controls. The report alleged that:

  • HSBC in the US had not treated its Mexican affiliate as high risk when the Senate believed that it should have done so;
  • The Mexican bank had transported $7 billion in US bank notes to HSBC in the US, but HSBC had not considered that to be suspicious;
  • It had circumvented US safeguards designed to block inappropriate transactions, including allowing 25,000 transactions over seven years;
  • In less than four years it had cleared $290 million in “obviously suspicious” US traveller's cheques for a Japanese bank.

Again, the issue relates to a jurisdiction considering certain activity as reasonable but being unable to defend it to a regulator. The key issue is that the firm is not only required to be avoiding money laundering and terrorist financing, but must clearly have the controls and procedures in place that the regulators expect.

Modelling and Managing Reputational Risk

Modelling reputational risk is still at an early stage of development in most firms, yet it is not difficult to model effectively. Using the simple metric based on the principle that an event has to occur, it has to become public and the public has to care, then it is relatively straightforward to design appropriate approaches. Of course, the frequency of the event does make a significant difference and would need to be factored in as well.

The management of reputational risk does need to be considered as a separate issue, if only to ensure that no matters are omitted. The reputational risk programme in this case will start with the senior management operating a tone from the top that is appropriate. It will then be important for the firm to consider the nature of the relationships that it maintains and the level of monitoring that it should conduct. This will be designed not only to meet the regulatory demands but also to ensure that, as far as possible, the firm is able to justify its actions in public to counter any reports made.

Know Your Customer (KYC) requirements will be a significant part of this, as considered in Chapter 13. The basic and most essential feature of all anti-money-laundering legislation and regulations all over the world is the need for detailed customer due diligence to be conducted. Companies must carry out additional due diligence requirements on relationships identified as being of heightened risk in order to gain in-depth knowledge of the customer they are dealing with.

Information which is provided by customers cannot be taken at face value, as the risk of not undertaking or investigating the validity of customer information can result in serious consequences. Due diligence requirements will typically impose requirements on firms to enable them to understand their clients. While the actual local requirements will vary between institutions and jurisdictions, the objectives will not vary. Indeed, the work conducted on a risk basis to actually confirm identity will need to be sufficient to effectively mitigate the perceived transaction and relationship risks.

KYC is essentially conducting background checks on clients and customers to enable the firm to acquire additional information regarding their customers, so that they can be assured that they are not conducting inappropriate activity. While there is always an attempt to identify the inappropriate, there can be no certainty that all such cases will be identified; so there will need to be an approach to adopt in cases where, regardless of the efforts of the firm, a case of money laundering or terrorist financing fails to be identified by the firm and is, instead, identified by enforcement agencies.

In such cases, the firm needs to have its communications team adequately briefed on the nature of the generic procedures that the firm always undertakes. Without discussing any specific case, they would need to disclose that the firm takes its obligations seriously and undertakes checks that go beyond those required by local legislation, and that there is no claim that the firm deliberately was involved in facilitating the activity. Highlighting that criminal elements are increasingly sophisticated and accordingly even the most prudent of firms can inadvertently be caught in the net will also be of assistance. It is paramount that the individuals providing information on behalf of the firm are appropriately trained, able to provide the information required with confidence and have the ability to reinforce the reputation of the firm.

As part of the KYC procedures, the firm should conduct such detailed enquiries as it considers necessary using the risk-based approach to validate documents and information provided by the customer. Even though this is generally not required by legislation, we would still recommend that a firm should attempt to substantiate claims regarding the source of funds. Thinking of the case of a firm that has been found to be harbouring a money launderer, trying to justify simply recording the source without verification would represent a difficult position to support.

Increasingly, regulatory authorities in sophisticated financial centres are taking the view that it is not enough merely to know your customer through obtaining identification documents. There is an increasing expectation that a firm should go behind the information provided by a customer to test its validity. Such checks should occur at the beginning of any financial relationship where the accepting business must satisfy itself that the new customer is an appropriate firm to do business with. No relationship should be worth the reputation of the firm, so the old mantra “If in doubt, throw it out” will remain valid.

The importance of carrying out KYC due diligence can never be underestimated, as inadequate KYC due diligence may make the difference between a transaction being carried out and not being carried out. If an entity cannot obtain sufficient detail to establish the customer's identity, or if there are any suspicions about the background of the customer, customer relations should generally not be established.

Why should firms carry out KYC requirements?

The UK regulations state:

The UK's approach to identification requires the firm to consider the risk of money laundering based on its client portfolio and range of services. It recommends a standard approach to identification, with additional information where the risk profile of a particular client or class of client and/or service requires it.

What does KYC involve?

Usually, this system of control involves taking identification in some prescribed form, as discussed in earlier chapters. Typically, documents such as national identity cards, passports and driving licences are recommended to be taken and the details contained on them recorded and kept for a designated number of years. Records are usually kept for up to five years from the date of the transaction. It is always necessary for the firm to look at the specific requirements within its country and at least to undertake the work required by these rules. However, we would also recommend that a risk-based approach should be applied to the level of work to be conducted to ensure that the work actually undertaken is commensurate with the level of reputational risk that the relationship poses to the firm.

KYC – What to look out for

There are always different types of transaction which might be considered to pose an additional risk of being inappropriate and therefore warrant additional investigation. The following list is in no way exhaustive, but it does represent a starting point for such investigation. Many of the software tools available will look at relationships in this way and highlight the accounts which are most likely to represent inappropriate activity and therefore will warrant additional investigation. These include the following:

  • New business customers that are reluctant to provide information on their business activities, location and directors.
  • New personal customers who supply incomplete, conflicting or incongruous information when establishing a relationship.
  • Customers who do not provide phone or fax numbers or those for whom the numbers provided relate to serviced office/accommodation addresses.
  • Diplomatic passports from what might be considered by the firm as being relatively obscure countries, or ones where it would be hard for the firm to recognise a legitimate passport. Any country where passports can easily be obtained by paying for them would also represent a higher risk. Such passports may be genuine (i.e. genuinely issued after payment), however this does not mean that the holder is genuine or the name shown on the passport is the real one. The firm should try and evaluate whether the other details given, together with the appearance/attitude of the person, match whatever diplomatic post he/she is claiming to hold.
  • Residential addresses of applicants may be mail-drop addresses (beware of “Suite” numbers, home addresses in downtown business areas, PO Boxes and incomplete addresses). The firm should check for a telephone listing for the person at the given address and carry out a credit reference check on that address. The emergence of social media also provides the firm with other sources of information that might be used for confirmation of information.
  • No firm should accept photocopies. Original sources are more reliable and less likely to have been tampered with.
  • It is doubtful whether one organisation can rely on the due diligence/KYC checking conducted by another organisation. To avoid issues of liability, it is always best for a firm to carry out its own due diligence.
  • The firm should be suspicious of businesses that present financial reporting that is at odds with similar-sized businesses in the same industry sector.
  • It should also be suspicious if a group of accounts or relationships is opened by foreign nationals who visit the organisation together on the same day. A situation that is far more difficult to identify is where multiple accounts or relationships are opened on the same day by a group of foreign nationals at different banks/companies in the same city.
  • Suspicions should also be aroused if multiple business relationships are opened by an individual using the same address, or different individuals using the same address. Additionally, definite suspicion should result if numerous accounts or relationships are established using variations of the same name.

11.1.3 Operational Risk

This is described by the Bank for International Settlements in its sound practices paper as:

“the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events.”

Essentially, it arises from the day-to-day running of a company's business functions. While a firm seeks to reduce the incidence of financial crime by implementing a robust series of policies and procedures, these still need to be adhered to. Failure to do so will, in extreme cases, result in both regulatory penalties and reputational damage. It is therefore important for two main areas of money-laundering-deterrence procedures to be monitored appropriately:

  1. The process of KYC and monitoring of the relationships maintained by the firm.
  2. The process leading to the reporting of concerns to the appropriate authorities.

In preceding paragraphs we have concentrated on the first of these risk areas and recommended the maintenance of robust controls. The second issue is rather different in that it relates to the operation of the financial crime reporting system itself. It is incumbent upon the relevant officers to maintain a detailed record of any relationship reported to them, highlighting clearly the work that has been undertaken either to confirm or reject the concerns.

The trail of investigation leading to reporting to the appropriate authority will be important, not just for the firm to show that it has acted diligently, but it will also support the safe harbour provisions included within the regulations.

Globally, penalties for failure to meet the expected demands are becoming increasingly prevalent. Another recent UK case clearly identifies both the problem and the views of the regulator.

On 5th May, 2010, the regulator reported that it had imposed a financial penalty of £140,000 on an online provider of foreign exchange services for speculative trading, for failing to have in place adequate anti-money-laundering systems and controls. Its former Money Laundering Reporting Officer (MLRO) also received a financial penalty of £14,000, again highlighting the importance that the regulator places on this role.

The regulator emphasised that, amongst its many requirements, was a requirement that regulated firms should carry out risk assessments of the money-laundering and financial-crime risks that they are exposed to. However, they identified that the firm failed to carry out thorough assessments for in excess of two years, which, as a result, put the firm at risk of being used to further financial crime.

Specifically, they identified that the firm failed to carry out satisfactory customer due diligence procedures at the account-opening stage and failed to monitor accounts adequately. These failings were particularly serious as the firm's customer relationships did not operate on a face-to-face basis. They also noted that the firm failed to have in place adequate systems for screening customers against global sanctions lists and for determining whether customers were politically exposed persons (PEPs).

In terms of reporting suspicious activity reports, a further UK regulatory penalty both identifies the problem and clearly demonstrates the impact.

On 10th December, 2003, the FSA fined Abbey National (now Banco Santander) companies a total of £2,320,000 for serious compliance failings. Abbey National plc was fined £2 million for breaches of the FSA's Money Laundering Rules, while Abbey National Asset Managers Limited (ANAM) was fined £320,000 for systems and control breaches. Both cases reflected wider control failings, including inadequate monitoring of key regulatory risks across the Abbey National group over a prolonged period.

Regarding Abbey National plc, the regulator stated that:

“The failure by Abbey National to monitor compliance with FSA Money Laundering Rules demonstrated a marked lack of regard for its regulatory obligations. Abbey National failed to ensure that suspicious activity reports were promptly considered and reported to the National Criminal Intelligence Service and to identify customers adequately. Both these controls are fundamental to the UK's Anti-Money Laundering regime's effectiveness. Their failings also reflected the fact that the overall control environment, particularly compliance monitoring, has been weak across the group over a prolonged period.”

The regulator's investigation revealed weaknesses in Abbey National's anti-money-laundering controls across its retail banking division. The investigation found that from December 2001 until April 2003, Abbey National failed to adequately monitor anti-money-laundering (AML) compliance following the introduction of the FSA's Money Laundering Rules.

The failings included reliance on a system of self-certification of AML compliance by branches, the lack of AML compliance monitoring by a central function and the failure to provide key management information to the Money Laundering Reporting Officer (MLRO) function regarding this process. These failings contributed to high rates of non-compliance with Know Your Customer (KYC) requirements which persisted until April 2003.

The FSA's enquiries also revealed that, in respect of customer transactions carried out or attempted during 2002, Abbey National's MLRO function failed to ensure that internal suspicious activity reports (SARs) were promptly considered and reported as required. This breach extended from February 2002 to October 2003.

Money laundering is a global industry, and the controls that should be implemented are essentially the same regardless of the actual jurisdiction in which an institution is based. The rules and best practice standards are international, and the risk management function should ensure that they are built into a complete risk-management framework to ensure that the firm is properly protected.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset