How to Be Effective in the Fight Against Financial Crime
Worldwide spending on AML and sanctions compliance by financial institutions in 2021 exceeded $200 billion (source: LexisNexis). But whilst AML compliance is a huge part of what financial firms do, it appears that criminals are still able to launder dirty money on an enormous scale. Recent money laundering scandals such as 1MDB and the Russian Laundromat have impacted some of the world’s largest and most prestigious financial institutions. As the global war on money laundering rages, we consider what practical changes might tip the scales to better favour financial institutions.
Expensive, but not effective?
The cost of financial crime compliance has increased exponentially over the past few decades. In recent years, perhaps inevitably, we have seen a growing questioning of whether those efforts are paying off. The effectiveness of compliance is extremely hard to measure. At a macro level, this could potentially be seen through a tangible reduction in predicate crime offences or an increase in those facing justice for their crimes. At a financial institution level, this is arguably harder to assess – does an increase in suspicious activity reports (SARs), as one possible measure, point to a more or less effective program? The answer could be argued either way. The reality for most financial institutions producing intelligence output in the form of SARs is that there is often no feedback provided as to whether the information was useful to law enforcement or not.
The consideration of effectiveness was highlighted by the Financial Action Task Force (FATF), the global AML standard setter, in 2019, when they announced a strategic review of their country's evaluation process. Amongst the goals of the strategic review was to consider ways in which changes could be made to the FATF methodology to encourage countries to more effectively combat money laundering and terrorist financing. It was noted that the existing FATF process motivated countries to take action in order to avoid a bad report, rather than with a focus on reducing harm to society or protecting the integrity of the financial system. In other words, the focus had been on implementing a process rather than assessing outcomes.
A risk-based approach
Where resources are inevitably stretched, concentrating on risk is more likely to produce effective outcomes. The FATF strategic review was finalised in March 2022 with approval of the procedures for the fifth round of mutual evaluations, which will have a greater focus on risk to ensure that countries focus efforts on the areas where risks are highest. The next cycle of FATF evaluations will also be shorter, with a stronger follow-up process that will focus primarily on improving effectiveness.
Earlier, in March 2021, FATF had issued guidance to support countries to take a risk-based approach to supervision. Supervisors play a key role in helping regulated entities to understand the risks they face and how to mitigate them, for example by providing guidance on linking a national risk assessment to an entity’s risk assessment.
The EU’s 4th Anti-Money Laundering Directive (4AMLD) mandated that the European Commission conduct an assessment of money laundering and terrorist financing risks affecting the internal market and relating to cross-border activities, and to update it at least every two years. These assessments provide useful insight into identified money laundering risks which can be leveraged at a national level. The 5AMLD further mandated that Member States make the results of their risk assessments available to the European Commission and the other Member States, and to make a summary version, without classified information, publicly available.
The European Banking Authority, also in 2021, issued revised guidance regarding risk factors for money laundering and terrorist financing, addressed to both financial institutions and supervisors. The guidance sets out risk factors for financial institutions to consider with respect to customer relationships and transactions. They also note that business-wide risk assessments should be performed at least annually, and that they should consider specific sources of information, including the European Commission’s supranational risk assessment referenced above.
Information, information, information
The risk-based approach, in terms of assessing where higher risk is likely to exist (for example in a specific product, client sector or geography) and targeting those areas, undoubtedly makes sense. But what is even more effective, is the sharing of information where there is already identified criminality.
The traditional model of transaction monitoring produces vast numbers of alerts which are usually reviewed manually in order to determine whether the activity appears ‘suspicious’. A single-institution reviewing a customer’s behaviour may find it extremely difficult to make that determination of suspicion. However, the potential penalties for not filing a SAR are such that a huge number of ‘defensive’ SARs are submitted by institutions every year; the aim being to protect the institution where there is an element of doubt. However, the compliance cost of that work is significant and, far from being helpful, this can instead overwhelm under-resourced law enforcement teams with reports that have little to no value in the fight against financial crime.
Where law enforcement and financial institutions are able to collaborate, this is far more likely to produce a tangible outcome. Initiatives such as the UK’s Joint Money-Laundering Intelligence Taskforce (JMLIT) allows prosecuting authorities to share live details of the subjects of an investigation with participating institutions without compromising investigations. This allows financial institutions to very quickly identify where they have information that is directly relevant to an ongoing criminal investigation. Law enforcement collating data from across many banks will get a much better picture of the financial funds flows, as well as supporting information and documents provided in relation to account opening and periodic KYC checks that can significantly enhance or progress an investigation.
Legislation that is in place to protect the privacy of personal data poses challenges to information sharing, but some regulators are providing assurances regarding information sharing in the AML context. In December 2020, FinCEN published updated guidance which gave great latitude in financial institutions’ ability to share relevant information with each other under existing legislation – s.314b of the USA PATRIOT Act 2001. The guidance specified that the financial institution doesn’t need to have specific information regarding proceeds of a crime or have made a conclusive determination that the related activity is suspicious. It also stated that information on attempted transactions and information which includes personally identifiable information (PII) can be shared, and financial institutions are not restricted in their methods of sharing information, including verbally.
What financial institutions can do today
Some areas of improvement that would make financial institutions more effective in combating money laundering are not within their control, particularly the creation of complete and accurate UBO registers to facilitate KYC. However, the developments discussed in this article reveal two areas where financial institutions can and must take action: firstly, really understanding and focusing effort on areas of higher money laundering risk through conducting regular and rigorous risk assessments; and secondly, actively participating in information sharing to the fullest extent possible in their jurisdiction. We are seeing an increasing trend of both public-private partnerships and, in some areas, financial institutions sharing information directly with each other – a positive trend which is only likely to continue.