CHAPTER 12
THE ROLE OF THE MONEY LAUNDERING REPORTING OFFICER
12.1 WHAT IS A MONEY LAUNDERING REPORTING OFFICER?
International organisations such as the Financial Action Task Force and the Bank for International Settlements actually do not have the ability to impose rules or regulations. Instead, this is left to the local jurisdiction to implement according to the requirements of the local legal and regulatory framework. Consequently, global money-laundering regulations place the requirement to instigate local rules and regulations that set out responsibilities, accountabilities and procedures on individual countries.
In order to comply with what are often referred to as the systems and control function requirements regarding money-laundering deterrence, there is normally a requirement to appoint a responsible individual to take ownership of the process, who is referred to as a Money Laundering Reporting Officer (or MLRO). In the few jurisdictions where there is no specific requirement for a Money Laundering Reporting Officer to be appointed, there is still a requirement for an individual to take similar responsibilities.
Among the key responsibilities is the requirement that the MLRO should be the first point of contact within a firm for any issues which relate directly or indirectly to money-laundering deterrence or suspected terrorist-financing activity. They should be responsible for any strategic decisions made by the firm concerning money laundering and financial crime deterrence. The MLRO, therefore, has ultimate managerial responsibility for regulation of money laundering. Insufficient performance of this role can result in fines being issued by the appropriate regulatory authority, depending on the rules of the relevant jurisdiction. However, this does not, in any way, diminish the role of the board of the firm. Corporate governance principles state clearly that it is the governing body that has responsibility for the direction of the business, including its risk management and strategy. This clearly also includes money-laundering deterrence and the avoidance of assisting terrorists with financing. Accordingly, the MLRO responsibilities should be taken with this overall governance framework in mind. If the MLRO believes that there is a conflict between the way that the firm is being run by the executive management and the obligations that are placed upon them as MLRO, they are required to make this known to the appropriate authorities.
The regulators do place major importance on the firm's implementing appropriate controls in these areas, and failure to do so can put both the firm and the MLRO at risk. For example, in May 2012 the Financial Services Authority (FSA), which was at that time the UK's financial services regulator, penalised Habib Bank AG, Zurich in respect of money-laundering-deterrence failings. A penalty of £525,000 was placed on the firm, with an additional £17,500 on the MLRO for failing to establish and maintain adequate AML systems and controls.
In its public report, the FSA stated that during the period 15th December, 2007 to 15th November, 2010, the bank had failed to establish and maintain adequate controls for assessing the level of money-laundering risk posed by its customers. In particular, the bank had maintained a high-risk country list which excluded certain high-risk countries on the basis that it had group offices in them.
This is an important issue and one that deserves additional consideration in terms of the responsibility of the MLRO. The MLRO may believe that an area of the world is low risk, they may even emanate from that region themselves. This is actually of very little relevance to the situation. The obligations are clear. The MLRO should ensure that the level of due diligence conducted takes into account all the available evidence and also meets the expectations of the regulators. Failure to achieve this will be difficult to justify and can lead to regulatory difficulties.
So, in this case, the bank's local knowledge of what the FSA considered to be high-risk countries did not negate its requirement to treat them as posing a higher risk of money laundering, and consequently conducting enhanced due diligence.
However, for there to be a penalty on a firm there are normally a number of things that have gone wrong, and this case was no exception. The FSA also identified significant failings with regard to the bank's risk classification of customers and the rigour of procedures applied to identify and assess such customers. In particular, the bank was criticised for failing to conduct enhanced due diligence on higher risk customers. The FSA also found that the bank failed to conduct adequate enhanced due diligence in relation to higher risk customers.
Among the significant failings found were that, on a high percentage of files, high-risk accounts had been inappropriately classified as normal risk. They also found that the enhanced due diligence conducted was inadequate (in that insufficient information or supporting evidence had been gathered), and that, in some cases, the enhanced due diligence had not been conducted prior to transactions occurring on the account.
The penalty on the MLRO may appear to be small, but it is a clear message and it would be unlikely for such an MLRO to find alternative employment in a similar capacity subsequently.
12.2 WHO CAN BE APPOINTED AS AN MLRO?
An MLRO will normally be expected to hold a senior management position, and will need to be trained on both regulatory and compliance issues concerning money-laundering deterrence and terrorist financing. In terms of seniority, this is because the MLRO will be required to conduct investigations and these could involve very senior management and also sensitive subjects. The need for care and tact, supported by their seniority within the organisation, enables such a role to be undertaken successfully.
Clearly, the MLRO must also have sufficient resources, time and support staff to enable them to undertake their role effectively. The duty normally sits with the firm to ensure that the MLRO is able to monitor the day-to-day operation of its money-laundering and terrorist-financing-deterrence activities. However, if there are not adequate systems to enable this to be achieved, the responsibilities of the MLRO are not, in any way, diminished. It is they who must demand the systems and people that they require, commensurate with the level and complexity of the firm. The general requirement states that the MLRO must also be able to respond promptly to any reasonable request for information made by relevant regulatory authorities. To be able to achieve this, the MLRO needs to understand what information is held by the firm and how it can easily be accessed to meet such demands. Often this will require the use of specific software, although this need not necessarily be the case. As firms increasingly move towards data solutions which facilitate better use of data, as a consequence they also provide the MLRO with the additional tools that they require to achieve their roles.
The question then arises whether the role of the MLRO can easily be combined with another role within the firm. This is particularly an issue for the smaller firm. Combining the role of the MLRO with that of the Compliance Officer, who takes responsibility for ensuring that the business complies with all other rules and regulations, can be considered an appropriate solution. No other role actually provides the same level of independence that is required, and combination with the role of Head of Internal Audit would not appear to be ideal. Since internal audit reports essentially to the board and its subsidiary Audit Committee and undertakes work at their behest, they will also wish to conduct audits into the money-laundering and terrorist-financing-deterrence procedures that have been implemented within the firm.
If another role is to be selected to be combined with that of the MLRO, then the key issue to consider is to what extent the role is either client- or counterparty-facing, or able to influence the recording or processing of such transactions. If any role does exist without any of these responsibilities, then this may become the least worst alternative.
12.3 THE ROLE OF THE MONEY LAUNDERING REPORTING OFFICER
As mentioned earlier, the MLRO is responsible for the oversight of implementation of anti-money-laundering and terrorist-financing-deterrence strategies and policies.
The key elements of the MLRO role will usually consist of:
- Making strategic decisions concerning suspicious activity reports;
- Responsibility to deal with internal reporting of suspicious activity;
- Responsibility to report to and send notifications and disclosures to the appropriate regulatory authorities;
- Establishing and maintaining arrangements for awareness and training to all internal staff;
- Monitoring and controlling money-laundering policies and procedures;
- Producing an annual report covering the anti-money-laundering activity of the previous year;
- Liaising with regulatory authorities to deal with such matters as consent to proceed with a transaction and other disclosure issues, particularly with regards to clients or third parties.
One of the key elements resulting in the appointment of the MLRO is the protection normally afforded to them through locally implemented legislation. It is such legislation that protects the MLRO and enables them to override customer confidentiality in making reports to the relevant reporting agency. Such protection does not normally extend to any other parties within the regulated entity. The MLRO is also normally able to undertake their investigations, leading up to whether a case will or will not be reported, knowing that, in the absence of manifest negligence, they will actually also be protected.
Clearly, the exact legal protection afforded by local legislation will vary, and, again, reference should be made to local rules where detailed guidance is required.
12.3.1 The Safe Harbour and its Limitations
Global money-laundering regulations specify that any MLRO acting less than diligently will still be subject to certain sanctions. The extent of such a sanction will vary depending on the relevant regulation that has been implemented locally. There will generally be a defence within most money-laundering regulations to act as a safe harbour for the MLRO in respect of any action resulting from breaching data secrecy and confidentiality rules, as long as they act diligently.
The typical wording of most local regulation will state that the MLRO still needs to have demonstrated that they have maintained due care and attention in order to obtain protection from prosecution. To achieve this, there is clearly an obligation on the MLRO to maintain adequate documentation to support the decisions that they have made.
Again, the maintenance of detailed policies and procedures together with relevant documentation is always the best way for the MLRO to demonstrate that they have acted appropriately, so long as they are clearly complied with. To make sure that such processes and procedures are adequate, many MLROs will have their documentation reviewed by internationally recognised legal experts to confirm their compliance with best practice and local regulation.
12.3.2 Matrix Management
One of the MLRO's main roles is the reporting of suspicious activity and ensuring that sufficient procedures are in place to carry out the required reporting to the relevant authority. In some cases, the MLRO may delegate some of his/her role to a deputy MLRO. Generally speaking, it is not advisable to have too many people involved in the process of reporting suspicions, as the required confidentiality of the process may be compromised. The more direct the process of reporting a suspicion is, the less likely the risk of the client being alerted to a suspicion.
In large corporations, the sheer volume of suspicions which an MLRO receives means it will not always be practical for the MLRO to have sole responsibility for receiving notifications and suspicions. Therefore, larger, more complex corporations will have a system of dual notification in place, whereby notifications of suspicions can be reported either to the MLRO or another individual within the business unit. Such a role is generally separate from the delegated role that a deputy MLRO may have delegated to them. The idea is to have an alternative contact within the firm, who has a high level of training but operates in a different part of the business structure. This type of role tends to be allocated to Compliance Officers. Compliance Officers have a quasi-legal background and so they are able to contribute a high level of knowledge and expertise to the process.
However, the main criterion to have in mind when allocating this role is to appoint someone whose role is as minimally client-facing as possible. The analogy behind this is that limited client contact means the reporting officer is less likely to inadvertently alert clients to any suspicions. Once a suspicion has been raised, it is usually difficult for an employee who has knowledge of such reporting and deals directly with the reported client to remain independent and avoid instigating probing questions from a potentially wary client. For example, a client relationship manager who deals with a client under suspicion may need to continuously find reasons to delay completing a transaction which involves transferring funds. The client will clearly be alerted to the possibility of concerns if the client relationship manager is now suddenly always unavailable. There is also the possibility that employees who work closely with their clients may, in rare cases, themselves be involved in the fraud or money laundering. It is, therefore, advisable to maintain a degree of separation in order to dilute the degree of influence which such an employee might have.
While we have outlined the benefits of appointing an alternative notifying officer from a higher, non-client-facing level, we realise that this style of structure may be primarily limited to large corporations. Employees of small companies tend to have an overlap in functions and responsibilities, with it being possible that all functions may, in some sense, be client-facing. This may be addressed with the possibility of outsourcing some of the work of the MLRO, whilst not outsourcing the legal responsibilities. This clearly will help maintain an MLRO's independence and, as an outsourced resource will certainly not have any contact with clients, will maintain confidentiality.
12.3.3 What is an MLRO's Internal Reporting Procedure?
All suspicions identified within the business must be reported to the MLRO or to a deputy MLRO, if the MLRO has chosen to appoint one. Ideally, the process of reporting suspicions should be as direct and timely as possible. All suspicions which are reported to the MLRO should be fully documented, with the date and time together with the full name of the member of staff and position and role within the firm recorded.
An initial report should be prepared with details of the customer and a full statement detailing information giving rise to the suspicion. The MLRO will then acknowledge receipt of the report and inform the member of staff to do nothing which may prejudice any potential investigation or tip off the customer. All internal enquiries, including investigations conducted to confirm the suspicion and decisions made whether or not to submit the report to the relevant reporting agency, should be also be documented in full.
This is done as a matter of good practice to enable the MLRO to make reference to past suspicions, should an investigation subsequently arise and to provide some level of defence in case of reports not made after investigation, highlighting that appropriate actions were, in fact, taken. Reports should also include whether any transactions were actually prevented from proceeding any further as a result of a money-laundering suspicion being identified.
It is also good practice for the MLRO to maintain a register of suspicions received, investigated and reported to provide some monitoring of the process. This will, in particular, highlight any cases where the MLRO has been required by the relevant agency to take specific action, such as freezing an account. It will also highlight the number of cases where the MLRO has made a report, but there has been no direct response from the relevant agency of any kind.
12.3.4 What is Contained in the MLRO's Annual Report?
In order to maintain adequate systems and controls for compliance with its regulatory obligations, in many countries firms are required to commission an annual report from their MLRO. Such an annual report aims to focus on specific outcomes rather than just providing a list of various statistics. It should generally conclude on the effectiveness of the firm's money-laundering and terrorist-financing-deterrence systems and make recommendations for improvements.
Another benefit of producing such a report is that it is a helpful tool which enables the MLRO to document key money-laundering and terrorist-financing-deterrence policies and procedures, identifying key issues of relevance to senior management.
Recommendations made by the MLRO in the report should then be considered by the firm's senior management. It is the role of the senior management to assess whether internal reports are being made when required and to consider whether figures revealed in the report could, in fact, conceal inadequate reporting. Having considered the report, senior management will then need to take any necessary action to remedy any deficiencies identified by the report.
Annual reports made by the MLRO may cover all, or any, of the following information:
Nominated Officer (or MLRO)
The name of the nominated officer should be stated, together with a summary report on their activities.
Director/Senior Management
The report should outline the demarcation of responsibilities between the MLRO and senior management of the firm, providing additional clarity as to the protection provided to the MLRO by relevant legislation.
MLRO Functions
The responsibilities of the MLRO should be confirmed as well as highlighting any areas where the MLRO considers that they are restricted from carrying out their function. The report may also consider whether the MLRO has sufficient resources and access to information.
Staff Training
The report should include information concerning the training of staff, including who has been trained, methods of training and any difficulties faced in achieving a satisfactory level of training. Any recommendations or improvements to training should also be considered.
Information to Senior Management
A description of the reporting procedure to senior managers who receive reports should be included. The extent to which customer or counterparty names should be included in such reporting should also be considered, since additional disclosure could potentially increase the risk of tipping off.
Documentation of Policies and Risk Assessments
The report should describe arrangements for documentation of policies and risk assessments. The report may specifically describe how the firm uses local regulatory and statutory guidance. The report will typically identify deficiencies in current policies and reporting procedures, as well as outlining the seriousness of the issue and any recommendations for change. This part of the report may also comment on any new regulatory or legislative changes which will impact on the firm's risk-management processes.
New Products
As new products are introduced, it will be important for the MLRO to consider to what extent they may potentially be used by people engaged in money laundering and terrorist financing, such that appropriate policies and procedures can be adopted prior to the product launch. In the report, the MLRO will refer to the new products that either have been or are planned to be launched, consider the susceptibility to money laundering and terrorist financing and document the actions proposed or taken to mitigate such susceptibility.
Financial Exclusions
Many jurisdictions have specific rules requiring financial institutions to avoid excluding any specific customer grouping from the business conducted by the firm. Such rules can potentially run contrarian to the objectives of the MLRO. Accordingly, in the annual report the MLRO should describe the arrangements for dealing with customers who are financially excluded and their impact on the money-laundering and terrorist-financing regime adopted.
Arrangements for Monitoring Effectiveness of Systems and Controls
Normally, the report will set out how the MLRO is achieving all of their objectives, including the maintenance of effective systems and controls. In this respect, the contents of the report typically refer to the following in summary:
- The nature of the systems and controls operated by the business;
- Recommendations for the firm's systems and controls to ensure that they cover areas of:
- the system for producing information provided to relevant agencies and to senior management;
- the adequacy of relevant risk-management policies and risk profiles;
- the processes adopted in respect of new products, the taking on of new customers and changes in business profile;
- Conclusions regarding the nature of employee acceptance and recruitment processes and procedures.
Summary of Business Areas
In their report, the MLRO will generally outline the business operations and activities of the firm, highlighting how susceptible these are to use by criminal elements and the implications these then have on the money-laundering and terrorist-financing controls that are applied.
Customers and Customer Due Diligence Processes
Clearly, the adequacy of customer due diligence remains at the heart of the work that the MLRO requires the business to undertake, and accordingly this is generally also included in their annual report. Key elements of such a report will generally include the following:
- Details of the firm's customer base, including information on size, area of business, country of origin, percentage increases/decreases and anything unusual;
- Information on the firm's politically exposed person (PEP) policies and procedures;
- The firm's arrangement for sanctions compliance, including information on procedures, checks, who is verified and the type of transactions that are checked;
- Details of arrangements where identification and due diligence are not carried out directly by the firm;
- The procedures which are used for identification verification, including any exceptions which may exist;
- Details as to how high-risk customers are dealt with;
- Information on how Know Your Customer (KYC) information is collected, together with information, if relevant, concerning the implementation and modelling of the risk-based approach;
- The firm's arrangements for monitoring transactions;
- Information summarising the firm's product range and the risk that this poses to the firm in terms of its susceptibility to being used by criminal elements;
- Normally there is also a discussion of the geographical areas of operation of the business and any additional risks that these pose.
Overall Assessment of Systems and Controls
While customer due diligence is a fundamental part of the deterrence policies, ongoing controls, policies and procedures are also of significant importance. It is incumbent upon the MLRO to ensure that senior management and the regulators have a full and comprehensive understanding of the nature of the control environment employed by the firm, together with the conclusions as to the adequacy of such procedures. Accordingly, the report normally will address the following issues:
- The nature of the systems and controls in place and whether they are comprehensive and proportionate;
- Whether such systems and controls have been regularly reviewed, by whom and the conclusions that have arisen;
- Whether there have been any control failures. Any such failures will generally be identified, as well as any rule breaches and remedial action taken.
Record-keeping
MLRO and firm record-keeping requirements do vary between jurisdictions, with many regulators undertaking reviews into both the adequacy of such records and their compliance with the relevant rules and regulations. Accordingly, in their report the MLRO will typically wish to refer to the following matters:
- The format and location of where records are kept, together with any changes that have been made to the way the information is recorded or stored;
- Whether there have been any failures in controlling the record-keeping procedures, as well as any recommendations for change.
Suspicious Transaction Reporting
This is also a fundamental part of the role of the MLRO; accordingly, reference to this will generally also be made in the annual report, without highlighting specific details of individual cases identified and whether they were, or were not, reported. Matters that will generally be referred to in the report will include:
- An outline of the methods used to identify suspicious transactions and any limitations to this process;
- Any improvements, enhancements or proposed systems changes which the MLRO feels are necessary.
Internal Reporting
- A summary of the number of internal reports made by each business area;
- The number of internal reports which were not forwarded to the relevant money-laundering authority. The report will also generally highlight whether this number has increased or decreased from previous years;
- Any circumstances which may have led to changes in reporting, and identification of possible trends;
- Any quality checks on reporting that are made by the MLRO.
External Reporting
A separate section of the annual report normally provides the senior management and regulators with information regarding reporting actually made by the MLRO. The contents of this section will typically include the following matters:
- Whether there were any cases of money laundering where a report was not made;
- A breakdown of the number of reports which were passed to money-laundering authorities per business area;
- Any changes/trends in reporting;
- Any feedback from the relevant money-laundering authority on reporting, whether individually or by sector;
- A review of the nature of actions taken concerning non-cooperative jurisdictions, including any measures implemented within the firm.
Recommendations for Action
This section should detail recommendations made by the MLRO to senior management. This should be described in order of priority areas of remedial and preventative action, as well as an expected timeframe for action. The MLRO should also comment on the adequacy of resources, as well as any recommendations for change.