Over the past few months, a number of banks have come under scrutiny for their alleged failure to enforce effective anti-money laundering and countering the financing of terrorism (AML/CFT) controls. Amid a flurry of recent guidance notes and with much of the European Union preparing to implement the Fifth EU Anti-money Laundering Directive (2018/843/EU) (5MLD), this article highlights the key takeaways for banks operating across various jurisdictions and the risks for those deemed to be non-compliant with the most up-to-date legal requirements.
On 24 July 2019 the European Commission (EC) published its “Communication from the commission to the European parliament towards better implementation of the EU’s anti-money laundering and countering the financing of terrorism framework”, which – alongside four reports – draws on 10 recent high-profile cases of alleged money laundering through EU banks to highlight what it identifies as the four main weaknesses of the current regime:
- ineffective compliance with AML/CFT legal requirements;
- governance failures;
- the failure to mitigate high-risk business models; and
- ineffective group AML/CFT policies.
Highlighting a number of outstanding structural issues, the report calls for greater harmonisation in supervision by national authorities, closer prudential supervision – particularly in cross-border situations – and more structured and systematic international cooperation with key non-EU authorities. Moreover, it emphasises the proposed role of the European Banking Authority to take the lead in ensuring that breaches of relevant rules are investigated by national supervisors and to facilitate international cooperation. However, the EC has declined the European Central Bank’s calls to establish a permanent cross-border agency to police financial crime and transform recent AML directives into international regulation.
Interestingly, the report draws particular attention to the exploitation of Baltic and Nordic banks’ AML/CFT operations by a Russian money-laundering ring, suggesting greater risks for companies operating in these regions. As such, financial institutions based in these areas should ensure that they have sufficient AML risk-assessment procedures and a larger, group-level AML compliance strategy in place. Moreover, banks based outside the Baltic and Nordic regions but affiliated with financial institutions there should consider enhancing their due diligence in relation to the services provided.
In addition, the EC’s focus on governance and senior management responsibility reflects the fact that regulators expect AML/CFT risks to be given appropriate consideration at all levels of an organisation. While the report notes that some improvements can be made quickly at an operational level, the EC’s findings will serve as a basis for future policy choices and legislative developments to address the remaining structural challenges.
On 31 July 2019 the German government published its legislative proposal to implement 5MLD, which includes amendments to the Federal Ministry of Finance (BMF)’s initial requirements for cross-border matters in relation to AML due diligence conducted by third parties.
According to the BMF’s initial proposal, businesses relying on third parties to meet their AML customer due diligence requirements had to ensure that such parties complied with the German Anti-money Laundering Act, even if they were based outside Germany. However, the updated proposal has mitigated this requirement to cover trusted third parties in Germany only. Since banks are generally trusted third parties by law, the amendment should reduce the number of hurdles that they face in regard to compliance. Now, if a German bank is looking to identify a Dutch customer, for example, it can simply rely on the identification procedure of a Dutch bank that has gathered all the information required by 5MLD. By removing the impractical requirement for non-German banks to comply with German law outside Germany, the proposal should encourage cooperation between banks throughout the European Union.
On 26 July 2019 the Hong Kong Association of Banks, with input from the Hong Kong Monetary Authority (HKMA), published a series of FAQs addressing various ongoing AML/CFT issues in the region. Although the FAQs do not have the force of law, they are likely to carry weight in the examination of a bank’s conduct and any steps that it has taken to comply with the otherwise principle-based regime. In particular, the FAQs clarify a number of terms used to identify relevant persons (eg, ‘persons purporting to act on behalf of the customer’ and ‘politically exposed persons’) and how best to establish source of wealth. The FAQs also emphasise a continued interest in customer due diligence, cross-border arrangements and policies relating to virtual banks and currencies. As such, Hong Kong banks should study the FAQs to ensure not only that their AML/CFT controls comply with the HKMA’s requirements, but that any weaknesses are addressed and potentially reported.
On 30 June 2019 the Dutch ministers of finance and justice and security submitted to the House of Representatives a series of measures aimed at combating money laundering in the Netherlands. Given that an estimated €16 billion is laundered in the country every year, the plan calls on the government to:
- increase the barriers against criminals channelling illegally obtained income into the financial system;
- increase the effectiveness of the 'gatekeeper' function and how it is supervised, thereby excluding the proceeds of crime from the financial system; and
- reinforce investigations and prosecution so that criminals are dealt with more quickly and effectively.
To do this, the plan recommends – among other things – prohibiting cash payments of more than €3,000 for traders in high-value goods, withdrawing the €500 banknote from circulation, improving cooperation and information-sharing between banks, mitigating risks in the trust and accountancy sectors, increasing calls for a European supervisor and strengthening the information position of investigation authorities by making more funds available to them. Hence, if these plans are transposed into Dutch law, they will have far-reaching, practical implications for those in the banking sector.
The proposal argues that joint transaction monitoring is effective only when unusual transactions at one bank can be viewed in combination with the same customer’s transactions at another bank. It therefore recommends introducing the possibility for financial institutions to exchange certain customer information (eg, with respect to know-your-customer and transaction monitoring) with other financial institutions. To achieve this, a legal basis will need to be incorporated into national legislation to allow banks to share this kind of personal data within the framework of the EU General Data Protection Regulation.
United Arab Emirates
On 7 July 2019 the UAE minister of justice promulgated a number of resolutions introducing new AML/CFT initiatives, including establishing an AML/CFT section, issuing procedures for legal professionals and establishing a committee for managing frozen, seized and confiscated funds. The initiatives follow the publication of the UAE Securities and Commodities Authority’s AML Guidelines in May 2019, which set out the basic factors that financial institutions should take into consideration when identifying, assessing and mitigating the risks of money laundering and the financing of terrorism or illegal organisations. Although not legally binding, the guidelines provide UAE banks with crucial insight into the ways in which the supervisory authorities will construe their AML/CFT obligations and the recommended practical steps that they should take to ensure that they comply with obligations under the Anti-money Laundering and Combating the Financing of Terrorism and Illegal Organisations Law (20/2018).
On 9 July 2019 the Financial Conduct Authority (FCA) published its “Anti-money Laundering Annual Report 2018/2019“, revealing that the UK regulatory body has more than 60 ongoing AML investigations, some of which are being conducted on a dual-track basis, incorporating both criminal and regulatory investigations. The report shows that although the total number of financial penalties imposed by the FCA remains the same as the previous year, the value has increased significantly from £60.9 million to £227.3 million.
What is more, the report came only a few months after the FCA had issued the second largest financial penalty for AML controls failings in its history – fining Standard Chartered Bank more than £102 million for AML breaches, following investigations into its correspondent banking business and certain branches in the Middle East. Criticising the bank’s past approach for being “narrow, slow and reactive”, the FCA’s actions emphasise the importance for banks to adopt an agile approach that goes beyond a box-ticking exercise. Moreover, the fact that some of the Standard Chartered Bank breaches arose from the actions of junior employees highlights the risk of human error where there is inadequate oversight. One way for banks to reduce this risk is through the use of AI technology, which can support customer due diligence and transaction monitoring and automate audit trails. Indeed, 5MLD states that customer identification may now be carried out by electronic means, provided that this process is accepted by the national regulator.
On 22 July 2019 a working group comprising the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the US Department of the Treasury’s Financial Crimes Enforcement Network issued its Joint Statement on Risk-Focused Bank Secrecy Act/Anti-money Laundering Supervision, which aims to provide greater clarity regarding the risk-focused approach used in Bank Secrecy Act (BSA)/AML examinations. The statement outlines the common practices used to assess a bank’s AML/CFT risk profile and highlights that, in the same way that examiners use a risk-focused approach, banks are encouraged to use a risk-based approach to manage customer relationships. What is more, the statement highlights the regulators’ view that a bank’s board of directors provides guidance regarding acceptable risk exposure levels and corresponding policies, while management translates the board’s goals, objectives and risk limits into prudent operating standards through the implementation of policies, procedures and practices.
Rather than issue new requirements, the statement is part of a broader effort to increase the transparency, effectiveness and efficiency of the BSA/AML regime in the United States. Moreover, it reinforces the regulatory focus on risk-based AML examination and supervision, and the importance of risk-based compliance and oversight for affected financial institutions – providing another important roadmap for banks to understand what federal regulators are looking for in their on-the-ground approach to BSA/AML supervision.
Meanwhile, a number of recent investigations serve as an important reminder for multinational banks that although they may not be directly subject to US banking regulation, civil and criminal federal authorities may wade in where US-dollar transactions are cleared through the United States (so-called ‘US touchpoints’). In the past, US banking regulators would pursue AML enforcement efforts against multinational banks only in relation to conduct that occurred in or through their US subsidiary or branch. However, following the recent UniCredit settlement, multinational banks licensed in the United States may now find their worldwide activities under the scrutiny of US regulators, even where the US branch does not service those activities. International banks should therefore pay particularly close attention to any areas of business in which US touchpoints may occur.
Staying in control
Although AML obligations differ between jurisdictions, there are a number of steps that banks should be taking regardless of where they are based.
- First, ensure that you have a credible system in place for detecting suspected AML activity. As it takes both human intelligence and technical support to spot the warning signs, employee training programmes, internal communications and monitoring systems should all be up to date on the latest risks.
- Second, revisit your approach to risk assessment in light of any changes. While a risk-based approach to testing or verification activity is appropriate, failing to review this approach can give a false sense of security – as demonstrated by the various leading banks that have found themselves in hot water.
- Where risk is identified, you may need to make the difficult decision to exit the relationship (with the customer or another bank), business sector or jurisdiction. Despite push-back from stakeholders, the potential costs to the company should be the number one priority.
- Investigate any suspicious activity and keep thorough records of your decision on whether to freeze funds and file a report with the relevant authorities. If no report is filed, it is essential that the reasons for this are fully documented.
- Finally, it goes without saying that keeping abreast of the latest legal and regulatory developments will help to ensure not only that you are aware of your obligations, but that you have plenty of time to conduct thorough due diligence, assess risks and review your overall AML/CFT strategy if necessary, in order to remain compliant and demonstrate the proactive stance that the authorities may be looking for.