The costs of meeting regulatory expectations in relation to financial crime have spiralled in recent years. Significant fines have been imposed by the FCA, and many firms have taken to exiting entire products, customer types (e.g. MSBs, religious charities and embassies) and jurisdictions, due to AML concerns and the costs of meeting regulatory expectations.
The policy of wholesale de-risking has not been without risks as Barclays Bank found when Wafic said, the syrian born billionaire, decided to sue the bank for closing his personal and business accounts.
The costs of complying with regulations are certain to increase even further. eu member states must implement the Fourth money laundering Directive ("4mlD") into domestic legislation by 26 June 2017. The 4mlD introduces additional, specific legal requirements to carry out enhanced Due Diligence ("eDD") for domestic Politically exposed Persons ("PePs"), where a customer is established in a high risk country, and/or where unusual transactions have been identified.
This article considers the new eDD requirements and provides suggestions for firms to consider when reviewing their systems and controls. in the event of Brexit, the uK will not be obliged to implement the 4mlD measures. however, it is expected the uK government will continue to align itself with Financial action Task Force ("FaTF") requirements and international best practise for financial crime systems and controls. Therefore it is likely that these measures will be implemented in the uK, regardless of the outcome of the referendum. Firms should use the next fourteen months to review their systems and controls, and prepare themselves for 4mlD.
Politically Exposed Persons ("PEPS")
Financial institutions have been required to carry out eDD on foreign PePs for a number of years. The money laundering regulations 2007, required firms to:
- establish the customer's source of wealth and source of funds;
- obtain senior management sign off for the relationship;
- and conduct enhanced ongoing monitoring.
4mlD states that such measures must now be applied to domestic PePs, and their immediate families and close associates. The new requirements will impose greater burdens on compliance departments and other groups involved in conducting due diligence and client account reviews. in January 2016, mP craig mcKinlay reported in Parliament that his 81 year old father had been subject to intense questioning when opening a bank account due to his apparent political exposure. as more individuals are identified as "politically exposed" more eDD will be required and such instances will become more common.
Many banks have already adopted the wider PEP definition. However, those who have not should revisit their customer bases, and apply the steps above to ensure compliance with the new requirements.
Customers "Established" in High Risk Countries
Many firms currently utilise a "weighted" risk assessment, whereby jurisdictional risk is considered alongside other contributing factors. This means that a customer located in a high risk jurisdiction might be rated as medium or low risk, based on mitigating factors such as delivery channel or business profile.
This approach will no longer be possible. The Directive states that customers "established" in high risk jurisdictions must be subject to EDD. Although the meaning of "established" has not been defined, it is likely that businesses incorporated or trading in these countries will be covered. The implications for individuals are less certain. The use of "established" includes residents of those countries. However, it is unclear if individuals with businesses, financial interests or property in those countries will also require EDD.
It is also unclear which countries will be determined to be high risk. The Directive indicates that the Commission will devise a list of high risk jurisdictions, utilising advice from "international organisations and standard setters in AML/CTF". No list has been provided to date, and so it is not possible to know, definitively, which jurisdictions will make the final list. Neither is it possible at the current time for firms to know exactly which customers will be impacted.
However, it would be prudent to undertake some preparation ahead of the implementation of the 4MLD. A good starting point for firms is the FATF list of high-risk and non-cooperative jurisdictions. This list indicates jurisdictions with strategic AML and financial crime weaknesses. Firms looking to prepare for 4MLD should:
- Review their customer bases to determine if any customers have links to FATF non-compliant or high-risk jurisdictions.
- Carry out EDD, if this has not already been done.
Firms may also wish to consider Transparency International's Corruption Perception Index, and advice from regulators and industry groups when reviewing their customer bases. These sources provide information regarding jurisdictions that should be regarded as high risk, in addition to the FATF list.
EDD to be applied to Customers Established in High Risk Jurisdictions
The Directive does not give the details of the EDD to be carried out on customers established in high risk jurisdictions. Firms looking to ensure compliance might use the steps required for PEPs described above. However, with the increased mandatory requirements, such measures are likely to incur significant costs.
A useful test might be to check that for customers established in risk jurisdictions:
- The firm has exceeded the level of due diligence for a standard risk customer;
- That these measures have mitigated any potential financial crime risk; and
- The rationale for the level of due diligence applied can be explained to the regulatory authority.
These are interim measures, and further work may be needed when the list of high risk countries is finalised, a definition of "established" is provided and further guidance regarding the required EDD becomes available.
Most firms already have transaction monitoring systems in place to identify unusual activity and processes to ensure appropriate SAR reporting. The 4MLD imposes a legal requirement to carry out EDD where unusual transactions are identified. However, the details of the required EDD are not specified in 4MLD. A European Banking Authority paper from October 2015 indicates that firms should establish source and destination of funds, and monitor further transactions, where potentially unusual activities are identified.
Now is a good opportunity to review transaction monitoring systems and controls. Firms could review a sample of previous unusual activity alerts, the information considered and rationale for closure. These measures will help firms determine if they are meeting the new requirements and identify customers who should be subject to EDD, whilst testing the robustness of existing transaction monitoring controls.
4MLD imposes a dual burden for regulated firms. It will increase the cost of compliance, whilst giving the Regulators new ammunition when testing firms' financial systems and controls.
4MLD may provide a new focus area, with regulators keen to test firms' compliance with new mandatory requirements and prepared to issue fines where they are not met. Now is the perfect time for firms to revisit their financial crime systems and controls, and the situations and types of customer that trigger EDD.