The impact of COVID-19 pandemic has resulted in financial institutions and regulators across the globe operating in an entirely new environment. The Financial Action Task Force ("FATF") has identified the potential risk of criminals exploiting the unprecedented situation through cybercrime, fundraising for fake charities and medical scams, and emphasized the importance of financial institutions' robust Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) compliance and controls.
In response to the emerging risks, key regulators across major markets have issued statements encouraging financial institutions to assist consumers and businesses in this time of economic uncertainty, through loosening certain aspects of their AML/CTF requirements such as client onboarding and customer due diligence. At the same time, financial institutions are reminded to remain rigorous in their AML/CTF control and compliance while most supervisors are deferring their onsite examinations and conveying that oversight may be relaxed in the midst of the outbreak.
This article first explores the kind of increased AML/CTF-related threats and vulnerabilities that FATF and national governments have warned about. Next, the article highlights statements issued by regulators notably in the United Kingdom, the United States and Hong Kong and identifies the key themes emerging from these statements and the factors that should be taken into account.
Increased COVID-19-related Crimes
With criminals trying to take advantage of pandemic fears, regulators and national governments have warned against an increase in criminal scams and laundering opportunities often associated with crises like the current pandemic. In the statement "COVID-19-related Money Laundering and Terrorist Financing Risks and Policy Response"1 issued on 4 May 2020 (FATF May 2020 Statement), FATF has identified how criminals and terrorists might exploit threats and vulnerabilities at a time of economic uncertainty to commit COVID-19-related crimes and fraud by way of2:
- Deliberate attempts to bypass customer due diligence measures;
- Increased misuse of online financial services and virtual assets to move and conceal illicit funds;
- Misuse and misappropriation of domestic and international financial aid and emergency funding; and
- Increased use of the unregulated financial sector, creating additional opportunities for criminals to launder illicit funds.
For a broader discussion of the financial crime risks associated with and arising out of the COVID-19 outbreak, as well as related guidance from European and US financial regulators, and strategies to mitigate those risks, please see our legal update Financial Crime Compliance and Risk Management for Financial Institutions and Other Market Participants Amid the COVID-19 Outbreak.3'
Responses from FATF and National Regulators
Recognizing the limitations of social distancing, FATF and national regulators have encouraged or authorized financial institutions to provide risk-based flexibility in the implementation of AML/CTF requirements in response to the effects of the pandemic.
In a statement published on 1 April 20204, FATF encouraged financial institutions to make appropriate use of financial technology such as digital or contactless payments and digital onboarding to facilitate the delivery of banking and financial services in response to the pandemic while mitigating money-laundering and terrorist financing risks. In relation to customer due diligence (CDD) and risk assessment, FATF has proposed a range of measures to enable financial institutions to use a risk-based approach to their customer due diligence. These include5:
- Applying simplified due diligence measures where lower risks are identified, for example, for accounts created specifically to facilitate government economic relief packages;
- Recognizing that there may be legitimate reasons for a customer not to provide information for ongoing due diligence or Know-Your-Customer (KYC) refreshers, for example, if the customer is confined, under quarantine or ill; and
- Rolling out responsible digital identity and other innovative solutions for identifying customers at onboarding and while conducting transactions.
Additionally, in the FATF May 2020 Statement6, FATF proposed a range of risk-based measures that regulators and national governments should consider taking in response to the challenges posed by COVID-19. These measures range from identifying, managing and mitigating the new AML/CTF-related risks to adapting operational responses and facilitating charitable activity and financial relief packages in the most pragmatic manner commensurate with the situation.
Guided by FATF, national regulators in key financial markets including the United States, the United Kingdom and Hong Kong have published statements reminding financial institutions to use the flexibility built into the FATF's risk-based approach to address challenges posed by COVID-19 while remaining alert to new and emerging illicit money-laundering and terrorist financing risks. Highlights of the key statements recently issued by regulators in the United States, the United Kingdom and Hong Kong are set out below.
(b) United States
FinCEN (Financial Crimes Enforcement Network), an agency of the Treasury Department, has issued guidance reminding financial institutions of a prior ruling that exempted certain categories of new accounts from the requirement to identify beneficial owners, and also noted that to the extent “renewal, modification, restructuring, or extension for existing legal entity customers falls outside the scope of that ruling, FinCEN recognizes that a risk-based approach taken by financial institutions may result in reasonable delays in compliance.”7
FinCEN, in conjunction with the US Small Business Administration, has also clarified that for loans being made pursuant to the US government’s Paycheck Protection Program (PPP), if the PPP loan is being made to an existing customer and the necessary CDD information was previously verified, it does not need to be re-verified. In addition, for federally-insured depository institutions and credit unions, if beneficial ownership information had not yet been collected on existing customers, those institutions do not need to collect and verify the information in connection with making a PPP loan, unless otherwise indicated by the lender’s risk-based approach to AML compliance.8 The questions a regulator is likely to ask in such cases is why CDD has not been collected and what is the risk-based assessment that justifies processing a government-insured loan that is dependent on customer certifications where the lender may not fully understand the customer at the time of issuance of the loan.
FinCEN has also recognized that certain regulatory timing requirements may be challenging during the COVID-19 pandemic and that there may be some reasonable delays in compliance. It has encouraged financial institutions to report to the appropriate regulator if they have compliance concerns as a result of the pandemic. Finally, FinCEN has also encouraged financial institutions to “consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their BSA/anti-money laundering compliance obligations, in order to further strengthen the financial system against illicit financial activity and other related fraud.”9 This appears to be an exhortation to financial institutions to keep up with their AML/CTF compliance framework and programme and ensure that they are not falling behind what may become the standard industry practice.
(c) United Kingdom
In the United Kingdom, the Financial Conduct Authority (FCA) has written to firms that provide services to retail investors on issues around client identity verification and supervisory flexibility over best execution, among other measures. In the Dear CEO Letter to firms providing services to retail investors about Covid-1910 issued on 31 March 2020, the FCA has provided guidance on appropriate safeguards and additional checks which firms can adopt to carry out client verification remotely. Examples of remote customer verification include:
- Accepting scanned documentation sent by e-mail, preferably as a PDF;
- Seeking third-party verification of identity to corroborate that provided by the client, such as from their lawyer or accountant; or
- Asking clients to submit selfies or videos.
Since then, the FCA has emphasized the importance for firms to maintain effective systems and controls to prevent money-laundering and terrorist financing in the current climate.11
The FCA has also set out its high-level expectations on the application of firms' systems and controls for combatting and preventing financial crime.12 These are focused on the importance of remaining vigilant to new or emerging threats, while also recognizing that firms may need to re-prioritize or delay some activities according to the risk they pose. As well as remote client identification and verification, the FCA's statement of its expectations also covers other matters, such as the submission of regulatory returns and the need to try to keep certain senior managers responsible for financial crime-related functions in position if possible. There is a warning that "firms should not seek to address operational issues by changing their risk appetite. For example, firms should not change or switch-off current transaction monitoring triggers/thresholds, or sanctions-screening systems, for the sole purpose of reducing the number of alerts generated to address operational issues”. However, the FCA recognizes that it may be necessary to re-prioritize or delay some activities, such as due diligence reviews, or reviews of transaction-monitoring reports, in certain circumstances and subject to limits.
(d) Hong Kong
The Hong Kong Monetary Authority (HKMA) issued a circular13 on 7 April 2020 setting out measures financial institutions should take against money-laundering and terrorist financing in light of the COVID-19 outbreak, and HKMA's support for implementing such measures.
In recognition of the FATF standards, the HKMA has encouraged financial institutions to adopt "the least extent of customer due diligence"14 for prospective customers assessed as posing a low risk of money-laundering or terrorist financing risk, for example, customers onboarded solely for the purpose of the government's cash payout scheme. At the same time, the HKMA has also emphasized the importance of financial institutions mitigating risks through information sharing and detecting and reporting suspicious transactions to local legal enforcement agencies.
An added complexity arising out of the HKMA guidance is the impact of COVID-19 on financial institutions' transaction-monitoring systems where customer behavior has dramatically changed. To that end, financial institutions are reminded to detect suspicious activity by:
- Taking steps to modify existing transaction-monitoring scenarios and thresholds to reflect changes in behavior; and
- Staying alert to the risk arising from cross-border flows from countries that are receiving emergency COVID-19-related funding from international organizations and other donors.
Nevertheless, acknowledging the challenges financial institutions face and recognizing that maintaining normal operations of AML/CFT systems may not be achievable in all cases, the HKMA reiterated in the circular that it does not expect a “zero failure”15 outcome. Where a financial institution is unable to meet a particular short-term obligation, it should maintain a record of the circumstances, the risk assessment performed as well as any mitigation measures being taken.
The overriding objective of the statements issued by FATF and national regulators is clear. These are aimed at facilitating access to needed financial products while supporting the swift and effective implementation of measures to respond to the new and emerging AML/CTF-related risks and vulnerabilities as a result of the COVID-19 crisis. In light of these statements, notably the FATF May 2020 Statement16, financial institutions are reminded to:
- Use of a risk-based approach to customer onboarding and due diligence;
- Support electronic and digital payment options;
- Review their existing AML and CTF compliance policies and procedures to ensure they are equipped to address all issues arising from the remote means of customer onboarding and due diligence;
- Review their existing transaction-monitoring scenarios and thresholds for improvement of a financial institution’s capability to detect suspicious activity more quickly and effectively;
- Document within the prescribed AML and CTF framework of the financial institution any actual or suspected delays or disruptions in the implementation of AML/CTF measures due to potential challenges posed by the pandemic;
- Strengthen communication and coordination with other banks and financial institutions to assess the impact of COVID-19 on AML/CTF risks and systems; and
- Continue with risk mitigation through information sharing and detecting and reporting suspicious transactions to local legal enforcement agencies.
Key regulators across the globe have committed to support financial institutions in their AML and CTF efforts to address the COVID-19 pandemic. Financial institutions are reminded to provide risk-based flexibility in the implementation of AML/CTF requirements while taking proactive steps to address new and emerging illicit money-laundering and terrorist financing risks. In face of a global crisis such as the COVID-19 pandemic, financial institutions should think big but act prudently in response to the current crisis.