Money Laundering: Risk Management Vs Compliance

Bachir El Nakib

Compliance, in association with established industry regulations, ensures organizations stay protected from unique risks. Whereas risk management helps protect organizations from risks that could lead to non-compliance – which is a risk in itself.

When the concept of money laundering risk management was first introduced in the mid-1990s, it was generally dismissed. The reason was simple: a far too narrow approach was promoted by both the Joint Money Laundering Steering Group and many advisers. Risk management was implicit in the law to counter money laundering, yet almost all focus was on the provisions of law and regulation created in accordance with the European Union's Money Laundering Directive. 

The reason for this is simple: it is the primary law in all countries that defines the criminal offences of money laundering, i.e., processing the proceeds of one's own or someone else's criminal conduct or assisting someone else to do so.

The systems that are specified in guidance notes, regulations and the like were originally rather "VAGUE", but financial services businesses and their trade bodies wanted to see something defined. They argued that to define the systems would impose certainty and reduce costs. The main risk that affected financial services businesses was considered to be falling foul of a regulator or, at worst, of being prosecuted for failing to put in place systems in accordance with the requirements of, for example, the UK's Money Laundering Regulations 2003.

That focus, however, omitted the primary risk: that organisations would be used by a money launderer and, in the process, themselves become money launderers. For those businesses that had been poorly advised, realisation of the enormity of this genuine risk only began to dawn when the draft for Basel II was published.

By then, there had been a widespread move towards prescriptive compliance manuals issued by regulators or approved as quasi-regulatory issue. What has not been sufficiently widely understood is that while, on the face of it, those prescriptive measures were the compliance requirement, the overlaying of a risk assessment process means that the prescription became a matter of form rather than one of substance. When the Bank for International Settlements (BIS)— (the central bankers' club and, by default, the club for banking regulators) began the development of Basel II it was against the background that banking was a risk business.

Today, that concept is painfully obvious but at the time, again, the focus of bankers in particular was on financial risk. Such a focus had been caused in part by the following statement by BIS in principle seven of Basel II:

"Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including board and senior management oversight) to identify, evaluate, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the institution."

BIS Principle 18 

AIso related to this area: "Supervisors must be satisfied that banks have adequate policies and processes in place, including strict 'Know Your Customer' Rules, that promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities."

That is not, however, the section that requires the most comment. In its overview in Risks in Banking 1997, BIS said: "Banking by its nature entails taking a wide array of risks. Supervisors need to understand these risks and be satisfied that banks are adequately measuring and managing them. The significant risks faced by banks are:

-Credit Risk;

-Interest Rate Risk;

-Country and Transfer Risk; -Liquidity Risk;

-Market Risk 

-Operational Risk 

-Legal Risk; and

-Reputational Risk."

 

Reputational Risk 

It was against this background that money laundering risk was relegated almost to a footnote, mentioned only briefly under "legal risk". The "reputational risk" aspect is nevertheless very important. In the mid-1990s, this author was among those who emphasised that that reputational risk could be a vital consequence of any failure to detect and deter money laundering. Although correct in broad terms, there was an error in the detail. It was previously assumed that the risk to reputation would come from consumers who, learning that their bank (or other service provider) had been involved in money laundering, would change provider. More than a decade and a half later, it appears that this may have been an incorrect assumption: so far as the author is aware, there has not been a single proved instance of a customer or client changing bank, insurance company, lawyer or other service provider because it has been proved or even alleged that the provider has been involved in money laundering, except where, in the case of an individual, that individual has been the subject of parallel disciplinary proceedings to exclude them from the profession.

Reputational Risk certainly does exist, however, and has real and serious effects: it just does not work in the way that might have been expected. Indeed, reputational risk seems to have manifested itself through a combination of principles one and two, and of principle 25, which says: "Cross-border consolidated supervision requires cooperation and information exchange between home supervisors and the various other supervisors involved, primarily host banking supervisors. Banking supervisors must require the local operations of foreign banks to be conducted to the same standards as those required of domestic institutions."

The case of Goldman Sachs International

This is the equivalent of the "best of home or host" requirement placed on financial institutions under counter-money laundering law and regulation in most countries, and is in line with the Financial Action Task Force's recommendations. Although not related to money laundering, the most recent practical example of this cross-referencing in action was the fine imposed on Goldman Sachs International by the UK Financial Services Authority. The fine was levied because GSI was involved in marketing products structured in the US. When the SEC began its investigation of Goldman in the US, it said: "GSI did not have effective procedures in place to ensure that its compliance department was made aware of the SEC investigation so that it could consider whether any notifications needed to be made to the FSA in compliance with GSI's regulatory reporting obligations. GSI did not set out to hide anything, but its defective systems and controls meant that the level and quality of its communications with the FSA fell far below what we expect of an authorised firm."

This demonstrates that the reputation of Goldman in the US had been picked up by the FSA, and the FSA acted not in relation to any failing relating to the product, but in connection with its internal systems and controls. The net result has been that regulators are focussing on systems and controls as much as on the actual risks with which the systems and controls are designed to cope. The risk to reputation is not that a bank or other financial institution will lose business, it is rather that domestic regulators (as, for example, in the case of Riggs Bank) or overseas regulators (as in the case of Goldman, above) will seize on that reputation as a reason for proceedings. Reputation is defined not only by the actions of an institution itself, but also by the actions of a government. That, at its most fundamental, is the entire purpose behind the FATF's non-cooperative countries and territories list (and its 2009 clone) and the notion of "of primary money laundering concern" under the USA PATRIOT Act. Put simply, a business can be named and shamed even though there is no evidence to support the allegations, as in the case of Banco Delta Asia, where the US has consistently refused to produce any evidence, even in court proceedings, to back up its claims.

Thus, compliance is now not merely a matter of law and regulation but it is also a question of management. This is driven by a rather quaint idea that the identification and management of money laundering risk can be measured, but it has also been influenced by the desire from banks and insurance companies in particular for what they thought would be certainty in regulatory regimes. The regime has turned out to be largely prescriptive, and the Joint Money Laundering Steering Group's guidance notes have largely been adopted around the world.

The extent to which that person has control over the MLRO's decision-making process will define the success or failure of the systems in practice, even if on paper they are in full compliance with guidelines, regulations or anything else. MLROs should be senior and have authority to turn away any business; they should be autonomous. Yet in one country this author is familiar with, it is common for internal audit to examine the MLROs' decisions; in some companies in that country, the MLRO (who often holds that function along with several other administrative functions) is instructed that all suspicious transaction reports must first be approved (and by implication may be rejected) by the managing director.

Autocracy

A specific risk to watch for in relation to risk when assessing, e.g., counterparties for other financial institutions, is that of autocracy. For example, in cases where very small spending, often as little as $250, requires the approval of the managing director, power may be regarded as too concentrated in one pair of hands. Where power is concentrated in one person or a very small, tight-knit group, the checks and balances inherent in a larger, more diverse board are missing. Almost every major corporate failure which has hit the headlines in the past decade, from Enron to Satyamto HIH, has had a single common feature: there was no one looking over the shoulder of those who were doing wrong. Guidelines nevertheless say that it is acceptable (unless there are specific circumstances to indicate to the contrary) to rely on a presumption that a financial institution regulated in an FATF-member jurisdiction (or similar) has conducted proper due diligence. That approach, against which this author has argued for more than 15 years, has been found wanting. When Standard Chartered in Japan relied on a presumption that CSFB in Hong Kong had undertaken due diligence in relation to a Japanese client, it was found:

That CSFB, corporately, knew nothing of the transactions: they were conducted using CSFB facilities by a Japanese employee acting on a whim of his own.

 

That therefore CSFB, in ignorance of the transaction, had done no due diligence.

 

That Standard Chartered, having seen CSFB's name on all correspondence, had assumed CSFB was conducting the transactions.

The Financial Services Agency in Japan disciplined Standard Chartered for failing to undertake due diligence. That case pre-dates the most recent and even stronger suggestions that such reliance is safe.

Pinnacle

In September 2010, a similar question arose in the US, although the circumstances were entirely different. Broker-dealer Pinnacle, based in Raleigh, North Carolina, has a specific business model: more than 99 per cent of its customers live outside the US. It provides direct access to its trading platform. The firm's counter-money laundering policy said that it would identify customers but the US Securities and Exchange Commission found that, over a six-year period, it had not done so in many cases. This was because: "Many of the firm's foreign entity customers hold omnibus accounts at Pinnacle through which the entities carry sub-accounts for their own corporate or retail customers. Pinnacle treats the sub-account holders of the foreign entity omnibus accounts in the same manner as it does its regular account holders." In short, they provide accounts to securities houses overseas and those securities houses' own customers operate the Pinnacle platform through the account of the overseas securities house. This is similar to the "pass through" accounts operated by US banks for other banks and, in some cases, corporate customers.

The order specifically found that from October 2003 to August 2006, Pinnacle did not verify the identities of 34 out of a sample of 55 corporate account holders. The commission found further that between October 2003 and November 2009, Pinnacle did not collect or verify identifying information for the vast majority of the beneficial owners of sub-accounts maintained by Pinnacle's omnibus brokerage accounts. Consequently, the order found that Pinnacle's documented procedures differed materially from its actual procedures. Pinnacle settled the action without admitting or denying the allegations and paid a penalty of $25,000. The core point is simple: regulators do not agree that blind acceptance of introductions from third parties, including those who are regulated to a similar degree, should be regarded as safe. Similarly, the Pinnacle case showed that due diligence is required even when the client is a regulated entity. There was no allegation that money laundering in fact took place.

Crowell, Weedon & Co

Having a compliance system in place but failing to use it also attracts ire from regulators. Crowell Weedon & Co had a compliance/risk management system in place and it met the requirements in the US. The SEC found, however, that the firm did not adhere to its policies. In particular, the SEC's findings showed:

The procedures set forth in the 'know your customer' section required the registered representative opening an account for a customer to, among other things: (1) fully and accurately complete the new account application with regard to identifying pieces of information, including the customer's social security number or tax identification number, occupation, date of birth, citizenship information, and mother's maiden name; (2) enter information on to enter information on to the new account application indicating how the customer was introduced to the registered representative; and (3) if the customer was not well known to the registered representative, obtain from the customer additional documentation such as a copy of a driver's licence or passport.

The procedures set forth in the customer identification programme specified that Respondent would verify the identity of each new customer using both documentary and non-documentary methods. The documentary methods set forth in the procedures specified that when appropriate documents were available, Respondent would verify a customer's identity by reviewing the following documents:

For an individual: an unexpired government-issued identification evidencing nationality, residence, and bearing a photograph or similar safeguard, such as a driver's license or passport.

 

2.     For a person other than an individual: documents showing the existence of the entity, such as articles of incorporation, a government-issued business licence, a partnership agreement, or a trust instrument. The non-documentary methods set forth in the procedures specified that the Respondent would verify a customer's identity by (a) contacting a customer; (b) independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source.

 

3.     Checking references with other financial institutions.

 

4.     Obtaining a financial statement.

The procedures set forth in the CIP further specified that Respondent would generally use "non-documentary methods in every instance as a formal precautionary safeguard" in addition to specific situations where such methods were expressly required. The specific situations identified were:

When the customer was unable to present an unexpired government-issued identification document with a photograph or other similar safeguard.

 

2.     When Respondent was unfamiliar with the documents the customer presented for identification verification.

 

3.     When the customer and the firm did not have face-to-face contact.

 

4.     When there were other circumstances that increased the risk that the firm would be unable to verify the true identity of the customer through documentary means.

The procedures set forth in the CIP specified that Respondent would document its verification, including all identifying information provided by the customer, the methods used and results of the verification, and the resolution of any discrepancy in the identifying information. They further specified that Respondent would keep records containing a description of any document that it relied on to verify a customer's identity, noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date. Similarly, the procedures specified that, with respect to non-documentary verification, Respondent would retain documents that describe the methods and results of any measures taken to verify a customer's identity, including downloading verification information from a third-party vendor.

That all looks pretty standard; the kind of wording that a boilerplate compliance system would have, borrowing heavily from the wording of regulations and guidelines, and very much like the kind of policies that businesses all over the world might have.

So what went wrong?

The SEC determination file dated May 22, 2006 stated: "Between October 1, 2003 and late April 2004, Respondent opened approximately 2,900 new accounts for customers. However, Respondent did not follow the verification and documentation procedures set forth in the CIP. Specifically, it did not review photo identifications from individuals when available, use the non-documentary methods set forth in the procedures, or document its verification in accordance with its written CIP. Rather, Respondent generally relied on its "know your customer" policy and its registered representatives indicating that they had personnel knowledge of the customer. Typically, the registered representative stated on the new account form that the customer was known to him or her because the customer was a family member or social acquaintance, a referral from an existing customer, or a customer with an existing or previous account."

The timing is important: at the time (2002-3), the USA PATRIOT Act had not been fully implemented (indeed, it still has not). Draft rules were issued and published in the Federal Register for broker dealers but no final rule was even on the horizon. The position was the same for introducers or "registered representatives." While the final rule was eventually brought into force for broker-dealers in 2005, in late 2008 FinCEN announced that it was withdrawing its draft final rule for introducers. The reason, it said, was that they "had direct line of sight of the money through the banking system".

What the SEC took no account of in the Crowell, Weedon & Co case was that a "no action" letter had been issued saying that broker-dealers could rely on the representations that an introducer had performed due diligence. That was presumably issued, on the assumption that the USA PATRIOT Act would be properly and promptly implemented.

The SEC said: "The CIP rule, among other things, requires a broker-dealer to establish, document, and maintain procedures for verifying the identities of customers opening new accounts. The rule further requires that the verification procedures use documentary or non-documentary methods or a combination of both....Respondent's written CIP specified that it would verify the identity of each of its customers using certain documentary and non-documentary procedures, including reviewing a government-issued identification, where appropriate, and using a non-documentary method such as a database search. In fact, Respondent's actual program for verifying customer identities did not use the specified procedures contained in its written CIP. Rather, Respondent relied on its registered representatives to have personal knowledge of the customers opening new accounts, without documenting this process. Accordingly, Respondent did not accurately document its CIP as required pursuant to the CIP rule ... Respondent, by failing to accurately document its CIP, did not comply with the recordkeeping and record retention requirements under the CIP Rule."

Crowell, Weedon & Co did not admit or deny the allegations but it did reach a settlement which did not include the payment of any penalty.

Bachir A. El-Nakib,

ACAMS Instructor 

Supervision–Governance, Compliance Risk & AML